Packet-Tracer shows Status: Drop

Hiep Pham · ‎01-08-2014

Hello:

I have ASA 5510 and when I ran packet-tracer from dmz to outside and I noticed that on Phase 5 is show drop with this error "

(sp-security-failed) Slowpath security checks failed"

Could someone please one tell me if the NAT is sending traffic out or the setup is correct and what is that error means.

Thx,

HP

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (dmz,outside) 63.64.244.xxx 172.16.10.174 netmask 255.255.255.255

match ip dmz host 172.16.10.174 outside any

static translation to 63.64.244.xxx

translate_hits = 8, untranslate_hits = 5102

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa72b4090, priority=5, domain=host, deny=false

hits=378, user_data=0xa72b3df8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=172.16.10.174, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

Jouni Forss · ‎01-08-2014

Hi,

Please post the exact "packet-tracer" command used.

Please also post the whole "packet-tracer" command output

It might be likely that there is a problem with the actual format of your "packet-tracer" command

- Jouni

Hiep Pham · ‎01-08-2014

Sorry about that, here you go

UtilXVoIPFW# packet-tracer input dmz tcp 172.16.10.174 443 63.64.244.xxx aol detail

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 63.64.244.128 255.255.255.240 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa72997c8, priority=0, domain=permit-ip-option, deny=true

hits=640163, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

static (dmz,outside) 63.64.244.xxx 172.16.10.174 netmask 255.255.255.255

match ip dmz host 172.16.10.174 outside any

static translation to 63.64.244.xxx

translate_hits = 5, untranslate_hits = 5098

Additional Information:

Static translate 172.16.10.174/0 to 63.64.244.xxx/0 using netmask 255.255.255.255

Forward Flow based lookup yields rule:

in id=0xa72b3f90, priority=5, domain=nat, deny=false

hits=4, user_data=0xa72b3df8, cs_id=0x0, flags=0x0, protocol=0

src ip=172.16.10.174, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (dmz,outside) 63.64.244.xxx 172.16.10.174 netmask 255.255.255.255

match ip dmz host 172.16.10.174 outside any

static translation to 63.64.244.xxx

translate_hits = 5, untranslate_hits = 5098

Additional Information:

Forward Flow based lookup yields rule:

in id=0xa72b4090, priority=5, domain=host, deny=false

hits=372, user_data=0xa72b3df8, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=172.16.10.174, mask=255.255.255.255, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: dmz

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (sp-security-failed) Slowpath security checks failed

Jouni Forss · ‎01-08-2014

Hi,

To me it looks like you are simulating a situation where the server on the "dmz" connects to itself using the public IP address used in the "static" command?

This is probably the reason the "packet-tracer" fails.

If your goal is to simulate outbound Internet traffic then this command would do the trick

packet-tracer input dmz tcp 17.16.10.174 12345 8.8.8.8 80

Essentially the destination IP address can almost be anything. Anything that according to the ASAs routing table is located behind the "outside" interface. Naturally your server should not connect to itself through the firewall and not through the NAT IP address so this should not be used as a destination.

Hope this helps

- Jouni

Hiep Pham · ‎01-08-2014

Indeed that external ip is for a web site and I already configured static NAT on fwl so it should work correct?

access-list VoIP extended permit tcp any host 63.64.244.xxx eq https

static (dmz,outside) 63.64.244.xxx 172.16.10.174 netmask 255.255.255.255

Thx,

HP

Jouni Forss · ‎01-08-2014

Hi,

The NAT configuration looks like any basic Static NAT configuration that binds the public NAT IP address to the local IP address.

The question at the moment would be where is the ACL named "VoIP" attached?

Are you trying to allow traffic to this host/server on the DMZ from the external network? If so then you should be allowing the traffic from the external network. In an ACL that is attached to your "outside" interface.

You can check where ACLs have been attached with the command

show run access-group

As I said, if you wanted to allow HTTPS to this host/server from the public/external network then this ACL rule should be using the ACL that is attached on the "outside" interface.

Furthermore, if you wanted to test connectivity TO this server from the public/external network then you could use this "packet-tracer" command

packet-tracer input outside tcp 8.8.8.8 12345 63.64.244.xxx 443

- Jouni