Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pack Trace output

Please check my pack trace outpu, when you get a Phase 3 issue, how can I keep doing  the troubleshooting.?

 

thansk

 

Phase: 1
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:       
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

You need to allow the traffic

You need to allow the traffic in the ACL thats assigned to the interface where the traffic is entering the ASA. The "Implicit Rule" is always used when no other rule matches.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
3 REPLIES
VIP Purple

You need to allow the traffic

You need to allow the traffic in the ACL thats assigned to the interface where the traffic is entering the ASA. The "Implicit Rule" is always used when no other rule matches.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

KarstenLook this output,

Karsten

Look this output, where should I create the acls? Thanks.

 

 

Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype: 
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   142.100.64.0    255.255.255.0   inside
              
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.18.3.23     255.255.255.255 outside

Phase: 5
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop  

VIP Purple

Always the interface where

Always the interface where the initial traffic enters the ASA. Seems to be the outside interface in your case.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
43
Views
5
Helpful
3
Replies