Cisco ASA VPN: Drop-reason: (acl-drop) Flow is denied by configured rule

cisco-asavpn

During VPN reconfiguration we have met quite big issue with VPN traffic not passing to peer. Using packet-tracer we have have got following debug:

Phase 1 to Phase 9 passed successfully.
[…]

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: internal
input-status: up
input-line-status: up
output-interface: newiface
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

We have googled lot of docs, but nothing helped.

Best Answer

Fortunatelly I'm already able to answer - I want to allow someone else to spare several hours and lot of headache.

we have had configured everything correctly - NAT, ACL, CACL, routes etc. But we we have forgot for one crucial thing - this interface was new and IPSEC was not enabled on that interface.

crypto ikev1 enable newiface

was the solution for our problem, after adding this command, everything (well, mostly) went up without problem. I haven't found mentioned this as possible solution for (acl-drop) Flow is denied by configured rule, so I decided to share it with others.

Best Answer

Related Solutions

Cisco ASA – manually start a VPN tunnel

Cisco ASA VPN tunnel to second location – all traffic flow through first tunnel

Related Topic