Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

Hi ,

I am using ASA 5520 version 9.1(2) and configured the static Pat to access the internal server with the specified port from the public ip address (5.x.x.x) , able to Telnet with port (telnet 6.x.x.x 8100), but cannot access the server from the 5.x.x.x , while packet tracert getting the error is rpf-check DROP .

draw.jpg

Static Pat Config

object network object-10.10.10.1

host 10.10.10.1

nat (inside,outside) static 6.x.x.x service tcp 8100 8100

ACL

access-list inside_access_in extended permit tcp host 10.10.10.1 host 5.x.x.x eq 8100

access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

Packet-tracer

ASA-01/pri# packet-tracer input outside tcp 5.x.x.x 8100 10.10.10.1 8100 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.10.0.0       255.255.0.0     inside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100

Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74e10a38, priority=13, domain=permit, deny=false
        hits=56, user_data=0x6f4f9f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=5.x.x.x, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x73269260, priority=0, domain=nat-per-session, deny=false
        hits=219318200, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74509710, priority=0, domain=inspect-ip-options, deny=true
        hits=90283841, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74c5ba38, priority=20, domain=lu, deny=false
        hits=10678572, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74e1d520, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=12671659, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network object-10.10.10.1

nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x75ae3dd8, priority=6, domain=nat-reverse, deny=false
        hits=15, user_data=0x75ae3ef8, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-01pri# sh nat

4 (inside) to (outside) source static object-10.10.10.1 6.x.x.x   service tcp 8100 8100

    translate_hits = 0, untranslate_hits = 229

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

I would think there is an issue with the server configuration, as long as the packet is reaching the server that is.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
14 REPLIES
VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

The packet tracer is showing a drop because you have defined the private IP of the server.  Change this to the NATed public IP of the server and you will get a correct output from the packet tracer.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

Hi Marius ,

Thank you for your assistance .

Used the nated IP address in packet tracer and result as below  ..still sever team is blaming issue on n/w , there is any other option to find out network is reaching to the private ip address (5.x.x.x to 10.10.10.1)

ASA-01/pri# packet-tracer input outside tcp 5.x.x.x. 8100  6.x.x.x 8100

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network object-10.10.10.1

nat (inside,outside) static 6.x.x.x.x service tcp 8100 8100

Additional Information:
NAT divert to egress interface inside
Untranslate 6.x.x.x/8100 to 10.10.10.1/8100

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100

Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network object-10.10.10.1

nat (inside,outside) static 6.x.x.x service tcp 8100 8100

Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216899202, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

As per the packet tracer traffic from 5.x.x.x to 6.x.x.x on port 8100 is permitted through the ASA

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

Also issue the command show xlate 10.10.10.1 and make sure that the server is being NATed to the correct IP.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

Thanks for quick response ,

ASA-01/pri# show xlate | inc 10.10.10.1

TCP PAT from inside:10.10.10.1 8100-8100 to outside:6.x.x.x 8100-8100

VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

Everything looks to be ok from the ASA perspective, but run one more packet tracer to be on the safe side

packet-tracer input outside tcp 5.x.x.x 12345 6.x.x.x 8100 detailed

I am assuming this will be successful too, but just to be sure as most PCs will send a request using a random high port number.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

ASA-01/pri# packet-tracer input outside tcp 5.x.x.x 12345 6.x.x.x 8100 detailed

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network object-10.10.10.1-1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
NAT divert to egress interface inside
Untranslate 6.x.x.x/8100 to 10.10.10.1/8100

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp host 5.x.x.x host 10.10.10.1 eq 8100
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x75463aa8, priority=13, domain=permit, deny=false
        hits=13, user_data=0x6f4fa280, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
        src ip/id=5.x.x.x, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=8100, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x73269260, priority=0, domain=nat-per-session, deny=false
        hits=219392514, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74509710, priority=0, domain=inspect-ip-options, deny=true
        hits=90342414, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74c5ba38, priority=20, domain=lu, deny=false
        hits=10688696, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x74e1d520, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=12684409, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network object-10.10.10.1
nat (inside,outside) static 6.x.x.x service tcp 8100 8100
Additional Information:
Forward Flow based lookup yields rule:
out id=0x762fc120, priority=6, domain=nat-reverse, deny=false
        hits=41, user_data=0x73130810, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=inside

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x73269260, priority=0, domain=nat-per-session, deny=false
        hits=219392516, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in  id=0x6d8d7620, priority=0, domain=inspect-ip-options, deny=true
        hits=143310603, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 216909225, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

From these outputs I would say the problem lies either with the server or between the ASA and the server.  If they want you to give more proof run a packet capture.  You should see the packet enter the outside interface destined for 6.x.x.x port 8100 and leave the ASA inside interface destined for 10.10.10.1 port 8100.  If you see return traffic enter the inside interface and leave the outside interface then I would check with your ISP to see if they are blocking certain types of traffic.

But as i said I doubt you will see the return traffic.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

They are using an ACE load balancer for Servers and 10.10.10.1 is VIP for servers .

VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

Then I would tell them that the packet is permitted through the ASA in both directions and that they should double check their config.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

Nothing to do on ACE and need to b check on server side right ?

VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

I would think there is an issue with the server configuration, as long as the packet is reaching the server that is.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

rpf-check DROP on ASA 5520 -ver:9.1(2)

Thanks Marius

As you said , it was server configuration issue .

VIP Green

rpf-check DROP on ASA 5520 -ver:9.1(2)

Glad you got it sorted out

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
1124
Views
5
Helpful
14
Replies
CreatePlease login to create content