4

During VPN reconfiguration we have met quite big issue with VPN traffic not passing to peer. Using packet-tracer we have have got following debug:

Phase 1 to Phase 9 passed successfully. [...]

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: internal
input-status: up
input-line-status: up
output-interface: newiface
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

We have googled lot of docs, but nothing helped.

Jimmy Silver
  • 81
  • 1
  • 1
  • 4

1 Answers1

4

Fortunatelly I'm already able to answer - I want to allow someone else to spare several hours and lot of headache.

we have had configured everything correctly - NAT, ACL, CACL, routes etc. But we we have forgot for one crucial thing - this interface was new and IPSEC was not enabled on that interface.

crypto ikev1 enable newiface

was the solution for our problem, after adding this command, everything (well, mostly) went up without problem. I haven't found mentioned this as possible solution for (acl-drop) Flow is denied by configured rule, so I decided to share it with others.

Jimmy Silver
  • 81
  • 1
  • 1
  • 4
  • Ohh, that's an awful error message for the trace. Good find, thanks a lot for sharing! – Shane Madden Nov 27 '14 at 05:10
  • I'd like to link to my issue, which I think is likely more common: https://networkengineering.stackexchange.com/questions/57095/cannot-get-port-forward-working-on-asa-5505-drop-reason-acl-drop-flow-is-de/57222?noredirect=1#comment99633_57222 – SamAndrew81 Feb 28 '19 at 05:50