12-26-2013 02:58 PM - edited 03-11-2019 08:22 PM
Hello,
I am trying to do a simple packet tracer on my ASA and this is what I am getting
ASA# packet-tracer input DMZ tcp 10.250.0.5 2234 10.250.0.6 22 xml
<Phase>
<id>1</id>
<type>ROUTE-LOOKUP</type>
<subtype>input</subtype>
<result>ALLOW</result>
<config>
</config>
<extra>
in 10.250.0.4 255.255.255.252 DMZ
</extra>
</Phase>
<Phase>
<id>2</id>
<type>ACCESS-LIST</type>
<subtype></subtype>
<result>DROP</result>
<config>
Implicit Rule
</config>
<extra>
</extra>
</Phase>
<result>
<input-interface>DMZ</input-interface>
<input-status>up</input-status>
<input-line-status>up</input-line-status>
<output-interface>DMZ</output-interface>
<output-status>up</output-status>
<output-line-status>up</output-line-status>
<action>drop</action>
<drop-reason>(acl-drop) Flow is denied by configured rule</drop-reason>
</result>
ASA#
The 10.250.0.6 deve is a router directly connected to the DMZ interface 10.250.0.5
However I am getting the reason for droped packet as (Implicit Rule) which I can see is only on the global interface.
I am permiting ip any any on that same interface as well.
How can I make this work?
The reson for this is I need my ASA to authenticate with TACACS server which is behind the 10.250.0.6 router
Solved! Go to Solution.
01-01-2014 07:28 AM
Go ahead and change it back to (DMZ). Can you enable debug for TACACS and post some of the debug?
01-01-2014 07:31 AM
you mean to enable tacacs debug on the ASA?
01-01-2014 07:32 AM
Yes, sorry.
01-01-2014 07:45 AM
here is what I see
%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user kzuko : Auth-server group BiHTac unreachable
%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = kzuko
%ASA-6-611102: User authentication failed: Uname: kzuko
%ASA-6-611102: User authentication failed: Uname: kzuko
%ASA-6-315011: SSH session from 10.250.0.6 on interface DMZ for user "kzuko" disconnected by SSH server, reason: "Internal error" (0x00)
%ASA-6-302014: Teardown TCP connection 61690 for DMZ:10.250.0.6/54569 to identity:10.250.0.5/22 duration 0:00:07 bytes 1347 TCP FINs
01-01-2014 07:48 AM
Sorry Wrong log
here is the debug
%ASA-6-302013: Built outbound TCP connection 61851 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/31091 (10.250.0.1/31091)
%ASA-6-110003: Routing failed to locate next hop for TCP from identity:10.250.0.1/31091 to inside:10.250.100.142/49
mk_pkt - type: 0x2, session_id: 315
mkpkt - authorize user: bihadmin
cmd=no
cmd-arg=logging cmd-arg=console Tacacs packet sent
%ASA-6-302014: Teardown TCP connection 61851 for inside:10.250.100.142/49 to identity:10.250.0.1/31091 duration 0:00:00 bytes 0 No valid adjacency
Sending TACACS Authorization message. Session id: 315, seq no:1
%ASA-6-302013: Built outbound TCP connection 61852 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/52801 (10.250.0.1/52801)
TACACS Request timed out
TACACS Session finished. Session id: 315, seq no: 1
mk_pkt - type: 0x2, session_id: 316
mkpkt - authorize user: bihadmin
cmd=no
%ASA-6-302014: Teardown TCP connection 61852 for inside:10.250.100.142/49 to identity:10.250.0.1/52801 duration 0:00:00 bytes 0 No valid adjacency
cmd-arg=logging cmd-arg=console Tacacs packet sent
Sending TACACS Authorization message. Session id: 316, seq no:1
%ASA-6-302013: Built outbound TCP connection 61853 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/28448 (10.250.0.1/28448)
TACACS Request timed out
TACACS Session finished. Session id: 316, seq no: 1
mk_pkt - type: 0x2, session_id: 317
mkpkt - authorize user: bihadmin
cmd=no
cmd-arg=logging %ASA-6-302014: Teardown TCP connection 61853 for inside:10.250.100.142/49 to identity:10.250.0.1/28448 duration 0:00:00 bytes 0 No valid adjacency
cmd-arg=console Tacacs packet sent
Sending TACACS Authorization message. Session id: 317, seq no:1
%ASA-2-113022: AAA Marking TACACS+ server 10.250.100.142 in aaa-server group BiHTac as FAILED
BIHASA(config)# TACACS Request timed out
TACACS Session finished. Session id: 317, seq no: 1
01-01-2014 07:58 AM
Big help, thanks.
%ASA-6-110003: Routing failed to locate next hop for TCP from identity:10.250.0.1/31091 to inside:10.250.100.142/49
Can you post another show route?
01-01-2014 08:03 AM
ASA(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 75.132.0.1 to network 0.0.0.0
D 192.168.250.0 255.255.255.248 [90/28416] via 10.250.0.2, 38:50:54, inside
D 10.250.100.128 255.255.255.128 [90/28416] via 10.250.0.6, 38:50:44, DMZ
D 10.250.100.0 255.255.255.128 [90/28416] via 10.250.0.2, 38:50:54, inside
D 10.250.1.1 255.255.255.255 [90/130816] via 10.250.0.6, 38:50:44, DMZ
C 10.250.0.0 255.255.255.252 is directly connected, inside
C 10.250.0.4 255.255.255.252 is directly connected, DMZ
C 75.132.0.0 255.255.192.0 is directly connected, outside
d* 0.0.0.0 0.0.0.0 [1/0] via 75.132.0.1, outside
01-01-2014 08:11 AM
The routing looks good. In your TACACS server, what IP is configured as the host? The ASA's DMZ address?
01-01-2014 08:13 AM
Can we try and put a host specific route in for the TACACS server?
route DMZ 10.250.100.142 255.255.255.255 10.250.0.6
Then check the debug log again.
01-01-2014 08:27 AM
Ok did that but still nothing
I am also not seeng much in the debug
sh debug tacacs
%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user bihadmin : Auth-server group BiHTac unreachable
debug tacacs session
ASA(config)# %ASA-7-111009: User 'bihadmin' executed cmd: show debug tacacs
I got debug tacacs and debug tacacs session running on logging console debugging
01-01-2014 08:46 AM
ok I have noticed that these error loggs come in very late. I got this error log below 5 min later
%ASA-7-609001: Built local-host inside:10.250.100.142
%ASA-6-302013: Built outbound TCP connection 63066 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/6622 (10.250.0.1/6622)
%ASA-6-110003: Routing failed to locate next hop for TCP from identity:10.250.0.1/6622 to inside:10.250.100.142/49
mk_pkt - type: 0x2, session_id: 332
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=debug cmd-arg=tacacs Tacacs packet sent
%ASA-6-302014: Teardown TCP connection 63066 for inside:10.250.100.142/49 to identity:10.250.0.1/6622 duration 0:00:00 bytes 0 No valid adjacency
%ASA-7-609002: Teardown local-host inside:10.250.100.142 duration 0:00:00
Sending TACACS Authorization message. Session id: 332, seq no:1
%ASA-7-609001: Built local-host inside:10.250.100.142
%ASA-6-302013: Built outbound TCP connection 63067 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/46116 (10.250.0.1/46116)
TACACS Request timed out
TACACS Session finished. Session id: 332, seq no: 1
mk_pkt - type: 0x2, session_id: 333
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=debug %ASA-6-302014: Teardown TCP connection 63067 for inside:10.250.100.142/49 to identity:10.250.0.1/46116 duration 0:00:00 bytes 0 No valid adjacency
%ASA-7-609002: Teardown local-host inside:10.250.100.142 duration 0:00:00
cmd-arg=tacacs Tacacs packet sent
Sending TACACS Authorization message. Session id: 333, seq no:1
%ASA-7-609001: Built local-host inside:10.250.100.142
%ASA-6-302013: Built outbound TCP connection 63068 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/47263 (10.250.0.1/47263)
TACACS Request timed out
TACACS Session finished. Session id: 333, seq no: 1
mk_pkt - type: 0x2, session_id: 334
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=debug %ASA-6-302014: Teardown TCP connection 63068 for inside:10.250.100.142/49 to identity:10.250.0.1/47263 duration 0:00:00 bytes 0 No valid adjacency
%ASA-7-609002: Teardown local-host inside:10.250.100.142 duration 0:00:00
cmd-arg=tacacs Tacacs packet sent
Sending TACACS Authorization message. Session id: 334, seq no:1
%ASA-2-113022: AAA Marking TACACS+ server 10.250.100.142 in aaa-server group BiHTac as FAILED
debug tacacs session
TACACS Request timed out
%ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user bihadmin : Auth-server group BiHTac unreachable
%ASA-7-111009: User 'bihadmin' executed cmd: show debug tacacs
BIHASA(config)# TACACS Session finished. Session id: 334, seq no: 1
%ASA-6-305012: Teardown dynamic UDP translation from inside:10.250.100.4/52561 to outside:75.1.1.1/52561 duration 0:00:31
01-01-2014 08:53 AM
I have also noticred this
%ASA-6-302013: Built outbound TCP connection 63066 for inside:10.250.100.142/49 (10.250.100.142/49) to identity:10.250.0.1/6622 (10.250.0.1/6622)
It mentions "inside" the 10.250.100.142 is behind the DMZ
ok... for some reason it didint take my last commands when I was putting it back on to the DMZ
Lets try the debug again
01-01-2014 09:12 AM
Nothing no debug loggs this time when I try to connect
01-01-2014 10:05 AM
sometimes I see this
mk_pkt - type: 0x2, session_id: 370
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 370, seq no:1
TACACS Request Timed out. Session id: 370, seq no:1
mk_pkt - type: 0x2, session_id: 371
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 371, seq no:1
TACACS Session finished. Session id: 370, seq no: 1
TACACS Request Timed out. Session id: 371, seq no:1
mk_pkt - type: 0x2, session_id: 372
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 372, seq no:1
TACACS Session finished. Session id: 371, seq no: 1
TACACS Request Timed out. Session id: 372, seq no:1
TACACS Session finished. Session id: 372, seq no: 1
mk_pkt - type: 0x2, session_id: 373
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 373, seq no:1
TACACS Request Timed out. Session id: 373, seq no:1
mk_pkt - type: 0x2, session_id: 374
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 374, seq no:1
TACACS Session finished. Session id: 373, seq no: 1
TACACS Request Timed out. Session id: 374, seq no:1
mk_pkt - type: 0x2, session_id: 375
mkpkt - authorize user: bihadmin
cmd=show
cmd-arg=access-list cmd-arg=DMZ_access_in cmd-arg=brief Tacacs packet sent
Sending TACACS Authorization message. Session id: 375, seq no:1
TACACS Session finished. Session id: 374, seq no: 1
TACACS Request Timed out. Session id: 375, seq no:1
TACACS Session finished. Session id: 375, seq no: 1
01-01-2014 02:31 PM
I saw that too and that's what made me think it could be a routing issue. Can you do another packet-tracer?
packet-tracer input DMZ udp 10.250.0.5 49 10.250.100.142 49 detail
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide