cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
619
Views
0
Helpful
4
Replies

packet-trace Explaination

stoneystone
Level 1
Level 1

I'm having an isssue with a firewall vpn tunnel. I ran a packet-tracer and attached the results.

The attached file shows a failed delivery from a host. I have ran some with a successful delivery, on the same network, with a different host; everything is the same, but the host is different. That is the problem I am troubleshooting.

What I need, is more information on the packet-trace command results when it's not obvious why there is a 'deny'. I ran some packet-trace commands and it gave a more exact reason for failure, such as a specific ACL. When that happened, it was easy to solve this problem.

However, the output I've attached here isn't so obvious.

Anyway, I would appreciate any help or direction to help me understand the output.

Thanks

4 Replies 4

Yudong Wu
Level 7
Level 7

By default, outside interface will drop any incoming packet if it is not permited by ACL applied on it.

Do you have any ACL applied on outside interface?

If yes, will it permit the traffic which is traced by packet-trace?

Thanks for taking the time to look at this.

I'm initiating the request from the inside, going out the outside interface. I do not have an ACL blocking the traffic leaving. I have an ACL on the firewall directly forward of the destination, but I'm not getting that far in this packet-trace.

I would like some help on translating the information this command sends back.

I have ACLs on the outside interface, but they allow traffic to pass.

I am troubleshooting traffic passing via the vpn. Because of this part of the packet-tracer: 'Additional Information:

in 0.0.0.0 0.0.0.0 outside', would I be correct in saying this traffic is going through the default gateway - not the vpn

Also, in 'Phase 3 - Additional Information:', what does this information tell me?

Thanks for taking the time to help.

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd66bec70, priority=111, domain=permit, deny=true

hits=8, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Additional info in phase 2 just tell you that the packet will be routed to outside interface. It's not related to if the packet will go into your VPN tunnel.

Additional info in phase 3 tells you that the packet is dropped by implicit rule which is "deny ip any any".

Can you provide your config file as well?

Kuw2,

Thanks for the information. I actually solved the problem. However, I would like to learn/read more about the meaning of the information the packet-tracer command gives - such as:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xd66bec70, priority=111, domain=permit, deny=true

hits=8, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

priority=111 ?

domain=permit, deny=true, hits=8, user_data=0x0, -- where does that info come from?

I suppose I'm just looking to learn more about the packet-tracer command. From what I see on Cisco's site and the Internet, there's not too much about this command. It seems like you can do a lot with it. It's helped me in the past, when it's obvious.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: