Friday, November 6, 2015

Cisco ASA: Capture ASP-DROP Command

There are times when you just have to take advantage of some cool troubleshooting tools that these companies put out.  Cisco has a pretty cool CLI command that I like when I just cant seem to see the config problem with my eyes.  Its the below capture command.  I used this when trying to troubleshoot why I couldnt get packets across the VPN.  I could see it on the interface in a packet capture, but going back, it was getting dropped.  How do I know that?  First, my packet capture told me when I looked on the inside interface of the ASA.  I saw it.  I also saw the packet coming back on the inside interface as well.  But, it turns out that there was an ACL dropping it, as shown below.  Once I saw this, I immediately took  off the ACL (to test) and the packets went through the VPN just fine after that.  Then, I modified the ACL to resolve the issue.

ASA# capture asp-drop type asp-drop acl-drop
ASA# show capture asp-drop

32 packets captured
  27: 14:05:42.770162 802.1Q vlan#15 P0 > icmp: echo reply Drop-reason: (acl-drop) Flow is denied by configured rule
32 packets shown

No comments:

Post a Comment

Your comment will be reviewed for approval. Thank you for submitting your comments.