Cisco ASA Packet Drop Troubleshooting

This topic is to discuss the following lesson:

Good morning Everyone,
I couldn’t find a similar one to the topic I am starting so I apologize if a repetition occur.
I am trying to join an MS Win 10 from my DMZ to an AD- server (MS Server 2016) into my LAN.
I did a research, and the port listed into the attachment are the ones that supposed to be opened but I think, I am missing something because I am still not able to join the domain. I also opened port 53 tcp/udp.
Can you, please give a hand with this issue ?
Best,
Asen
addc-ports

Hello Asen

It’s great that you mention this at this time because Rene has just completed a lesson that will help you identify specific packet drop events on an ASA. Take a look at this lesson and see if it helps you in your troubleshooting process.

Take a look and let us know how you get along.

I hope this has been helpful!

Laz

Hi,
logging buffered debugging ,I Want to send to the syslog server .
In that case what type of logging I should chose .
Why did you exclude 111008|111009|111010|302010
Thanks

Hello Sims

The type of logging you choose depends on the detail that you want included. There are eight levels of severity:

  1. Emergency
  2. Alert
  3. Critical
  4. Error
  5. Warning
  6. Notice
  7. Informational
  8. Debug

By choosing the severity, you choose what kind of events you want to be logged regardless of whether you are using a syslog server or not. You can find out more information about these levels of severity and how to connect a syslog server at the following lesson:

The specific numbers were used simply to demonstrate how you can use the exclude keyword to exclude information from the output. There is no reason to choose those particular numbers. It was done for demonstration purposes only.

I hope this has been helpful!

Laz

Hi Rene,

Can we have two more details explanation on

  1. ASA FLAGs
  2. detailing on each phase of “packet-tracer input inside sourceip sourceport destinationip destinationport”

Thanks in Advance
Manami

Hello Manami

The flags indicated in the show conn detail command output simply indicate additional information about the connection. Specifically, Cisco states that:

When you use the detail option, the system displays information about the translation type and interface information using the connection flags…

You can find more information about this command including a table that shows what each flag means in detail at the following ASA command reference link:

Each phase that is displayed within the output corresponds to a particular operation that the ASA performs on that packet. Remember that a packet coming into one ASA interface and exiting another will go through flow and route lookups, multiple ACL matches, protocol inspection and NAT. For each of these, and in the order they are applied, the output displays a “phase”.

You can find out more about this command, the various options, and details about its output at the following link:

I hope this has been helpful!

Laz

Yes Laz, this clear my doubt and is helpful too.

Thanks
manami

1 Like