ASA VPN Issue

the_Grinch

So trying to get a second tunnel up and I am running into issue. This is what I get from a packet trace:

packet-tracer input inside tcp 192.168.137.37 22 10.11.89.12 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static US US destination static THEM THEM
Additional Information:
NAT divert to egress interface outside
Untranslate 10.11.89.12/22 to 10.11.89.12/22

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static US US destination static THEM THEM
Additional Information:
Static translate 192.168.137.37/22 to 192.168.137.37/22
Forward Flow based lookup yields rule:
in id=0x7fff206b7f70, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fff2a3f8c10, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.137.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.11.89.12, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff1fd322d0, priority=1, domain=nat-per-session, deny=true
hits=6793, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a308310, priority=0, domain=inspect-ip-options, deny=true
hits=696, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff20229010, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0x7fff29cbd330, reverse, flags=0x0, protocol=0
src ip/id=192.168.137.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.11.89.12, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

It appears that it's not even getting sent out, but not 100% sure of why.

the_Grinch

Figured it out! We're connecting to a Fortinet on the other end and they gave me two configurations that I needed to add, but didn't. Added them and bam we're good to go!