Network technologies and trends

Mar 3 2017   9:30PM GMT

What is an error “Subtype:Encrypt Result:Drop” in Cisco ASA Firewalls?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Tags:
ACL
ASA
Cisco
Cisco ASA
DROP
firewall
Packet Tracer
Routers
Security
VPN
VPN Tunnel

After building a site to site VPN tunnel between Cisco ASA and any other firewall or router, often the tunnel is tested using the packet-tracer command in Cisco ASA firewall.

While running a packet tracer when one sees an error “Subtype:Encrypt Result:Drop” as shown below

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

 

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The tunnel will never come up. And one might wonder what this error is?

The error was reported while we were trying to initiate the traffic from the source IP 192.168.1.1 to the destination IP 172.16.1.1 on port 80. The IP 192.168.1.1 happens to be the local IP which is natted to 172.17.1.1. In this case source NAT was used so that the actual IP was never disclosed to remote end.

ITKE-FW01# packet-tracer input INSIDE tcp 192.168.1.1 80 172.16.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

NAT divert to egress interface OUTSIDE

Untranslate 172.16.1.1/80 to 172.16.1.1/80

 

Phase: 4

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.10.1 using egress ifc  INSIDE

 

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE in interface INSIDE

access-list INSIDE extended permit ip any any

Additional Information:

 

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

Static translate 192.168.1.1/80 to 172.17.1.1/80

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

 

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

ITKE-FW01#

This error is reported when the interesting traffic ACL is mismatched between the VPN end points, the ACL should be mirrored at both VPN end points. Once the ACL is matched at both the VPN end points one could see the packet-tracer out put changes and it never drops the traffic as shown below.

ITKE-FW01# packet-tracer input INSIDE tcp 192.168.1.1 80 172.16.1.1 80

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

NAT divert to egress interface OUTSIDE

Untranslate 172.16.1.1/80 to 172.16.1.1/80

 

Phase: 4

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.10.1 using egress ifc  INSIDE

 

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE in interface INSIDE

access-list INSIDE extended permit ip any any

Additional Information:

 

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

Static translate 192.168.1.1/80 to 172.17.1.1/80

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: FOVER

Subtype: standby-update

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static obj-192.168.1.1 obj-172.17.1.1 destination static obj-172.16.1.1 obj-172.16.1.1

Additional Information:

 

Phase: 12

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 

Phase: 13

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 14

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 4466556, packet dispatched to next module

 

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: allow

ITKE-FW01#

The key thing one need to ensure when an error “Subtype:Encrypt Result:Drop” is reported , they should ensure the interesting traffic ACL is matched at the both ends of VPN end points. By   mirroring the ACL at both the end points we were able to fix the issue.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: