大家好!
我的设备是asa 5525 ,通过VTI形式配置的Ipsec ,现在隧道两端状态都是UP的,对端ping我是OK的,我ping对端则不通, packet-tracer 的显示似乎没有被IPSEC处理。显示结果如下,请大神门帮忙分析分析是啥原因!
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside2,dmz) source static inside2 inside2 destination static NoNat NoNat
Additional Information:
NAT divert to egress interface dmz
Untranslate 10.244.33.23/80 to 10.244.33.23/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside2,dmz) source static inside2 inside2 destination static NoNat NoNat
Additional Information:
Static translate 192.168.237.241/9000 to 192.168.237.241/9000
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside2,dmz) source static inside2 inside2 destination static NoNat NoNat
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 894594445, packet dispatched to next module
Phase: 9
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc dmz
Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 49.4.132.209 using egress ifc dmz
Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 4cb1.6c90.6071 hits 4647 reference 84
Result:
input-interface: inside2
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow