ASA Multicontext and the packet-tracer command

Hello everybody,

 

I have an interesting question but I cannot find the answer. Basically, whenever I configure multicontext with the outside interface being shared and no NAT at all. Everything works fine (traffic, ACLs, etc) However, the packet-tracer command says I shouldn't be able to have this working [:S]

 

Th output is:

 

packet-tracer input outside icmp <ip_add_A> 8 0 <ip_add_B >

Result:
input-interface: outside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (ifc-classify) Virtual firewall classification failed

I get the same result for UDP/TCP/ICMP traffic.

So, even when everything is working fine, if I use the packet-tracer for just verification, it says this shouldn't work, this must be a bug, but I'm not able to find one.

Any inputs?

 

Thanks.

 

Adrian

Comments

Sign In or Register to comment.