topic Re: FMC/FTD VPN issue in Network Security

FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 11:56:13 GMT

Got x2 2100 FTD's managed by same FMC and got the VPN up between the two but oneside has no decaps any ideas, ? there is no NAT configured do I need it as some docs suggest because it was working before one FTD got replaced due to failure with no NAT?

Thanks

Re: FMC/FTD VPN issue

MHM Cisco World — Thu, 24 Nov 2022 12:07:37 GMT

you need NAT exemption not NAT traffic.
so sure you need to deal with NAT

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html

Re: FMC/FTD VPN issue

Rob Ingram — Thu, 24 Nov 2022 12:07:39 GMT

@benolyndav is routing setup correctly from the local switch, to route traffic via the FTD and over the VPN?

Can you provide the output of "show crypto ipsec sa" from both sides, just so we can confirm.

You'd only need a NAT exemption rule if you had dynamic PAT/NAT setup, which would unintentially translate the VPN traffic. Sounds like you don't need a NAT rule.

Re: FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 12:33:32 GMT

show crypto ipsec sa peer 81.0.89.50

peer address: 81.0.89.50

Crypto map tag: CSM_INTERNET_map, seq num: 4, local addr: 81.136.195.226

access-list CSM_IPSEC_ACL_4 extended permit ip host 192.168.99.200 host 172.16.99.200

local ident (addr/mask/prot/port): (192.168.99.200/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.16.99.200/255.255.255.255/0/0)

current_peer: 81.0.89.50

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 281, #pkts decrypt: 281, #pkts verify: 281

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.136.195.226/500, remote crypto endpt.: 81.0.89.50/500

path mtu 1500, ipsec overhead 94(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: BF622F97

current inbound spi : C8AD9DB1

inbound esp sas:

spi: 0xC8AD9DB1 (3366821297)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 37362, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (3916785/17727)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xBF622F97 (3210882967)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 37362, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (4147200/17727)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

show crypto ipsec sa peer 81.136.195.226

peer address: 81.136.195.226

Crypto map tag: CSM_INTERNET_map, seq num: 1, local addr: 81.0.89.50

access-list CSM_IPSEC_ACL_1 extended permit ip host 172.16.99.200 host 192.168.99.200

local ident (addr/mask/prot/port): (172.16.99.200/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.99.200/255.255.255.255/0/0)

current_peer: 81.136.195.226

#pkts encaps: 281, #pkts encrypt: 281, #pkts digest: 281

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 281, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.0.89.50/500, remote crypto endpt.: 81.136.195.226/500

path mtu 1500, ipsec overhead 94(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: C8AD9DB1

current inbound spi : BF622F97

inbound esp sas:

spi: 0xBF622F97 (3210882967)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 28134, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (4101120/17542)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xC8AD9DB1 (3366821297)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 28134, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (4147185/17542)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Re: FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 12:34:59 GMT

The traffic isnt matching any other NAT rule

Re: FMC/FTD VPN issue

Rob Ingram — Thu, 24 Nov 2022 12:40:28 GMT

@benolyndav What's the topology, is the FTD the default gateway for all traffic? Do you have multiple WAN interfaces?

Run packet-tracer from the CLI to simulate traffic from 192.168.99.200 to 172.16.99.200, provide the output for review.

I assumed you meant there is no other NAT rules, if there are then you'd probably need a NAT exemption rule to ensure traffic between the VPN host/network is not unintentially translated.

Re: FMC/FTD VPN issue

MHM Cisco World — Thu, 24 Nov 2022 12:39:06 GMT

do you have NAT overload for local LAN ??

Re: FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 13:11:04 GMT

The FTD is split into sveral sub-interfaces at both sides, the server is .200 and thhe GW for the server is .1 there is a route pointing out the internet interface to the server on each side, we nevr had any nat in place for this traffic and also why is one sides traffic recived at the other side but not vice versa? nat rules routes are all the same both sides

Thanks

Re: FMC/FTD VPN issue

MHM Cisco World — Thu, 24 Nov 2022 13:32:21 GMT

CSM_INTERNET_map, seq num: 4 <<- seq num 4, so there are multi IPsec L2L, can you double check ACL for each L2L

Re: FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 14:48:40 GMT

Yes I have checked the ACL's and there is an ACL above which allows the .200 address to any across a different L2L is it possible the traffic is matching on that ACL, ??

and do you agree no NAT rule required as we never had one previously for this.??

Thanks

Re: FMC/FTD VPN issue

MHM Cisco World — Thu, 24 Nov 2022 14:51:56 GMT

Yes I have checked the ACL's and there is an ACL above which allows the .200 address to any across a different L2L is it possible the traffic is matching on that ACL, ?? Yes

and do you agree no NAT rule required as we never had one previously for this.?? let change ACL from any to remote LAN then see if we need NAT or not.

Re: FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 15:24:03 GMT

I removed the server from the group which was matching on the ACL above and all looks good now seeing encaps/dcaps, I'm thinking the only way to fix permanently is to delete both vpns but recreate the latter one first so the acl is above and not below the any ipv4 it was matching ?

Thanks for the ACL tip i had checked earlier but wasnt thorough enough.

Re: FMC/FTD VPN issue

MHM Cisco World — Thu, 24 Nov 2022 15:28:21 GMT

Yes you tottaly right change order of vpn can be workaround for your case.

And you are so welcome.

Re: FMC/FTD VPN issue

Rob Ingram — Thu, 24 Nov 2022 15:39:45 GMT

@benolyndav the problem that may occur is if the other tunnel with the overlapping networks is established first (before this tunnel you are troubleshooting), then this probably may occur again.

Re: FMC/FTD VPN issue

benolyndav — Thu, 24 Nov 2022 21:41:14 GMT

Hi Rob

Yes absolutely I made sure the first tunnel had established before I configured the second

Thanks

Re: FMC/FTD VPN issue

Rob Ingram — Thu, 24 Nov 2022 21:57:45 GMT

Hi @benolyndav sure, but if there is no interesting traffic and the IPSec SA expire, or the tunnel drops for any reason, reboot etc, you might find the wrong tunnel comes up first and you've the same problem again.

It might be better to use a route based VPN or not use overlapping networks, though that might be easier said than done.

Re: FMC/FTD VPN issue

benolyndav — Fri, 25 Nov 2022 11:49:39 GMT

Hi Rob
Good point I'll bare that in mind from now on

Thanks