https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772756#M983285 <HR /> <P>Sure</P> <P>&nbsp;</P> <P>FTD1:</P> <P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 649px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27077i4F7E32F85A7A8CE4/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 680px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27078i96AD9A03CFEE24B8/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 652px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27079iDCF52AE400807E53/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>FTD2:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 656px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27080iD78BA4316E760DE1/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 879px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27081i3BA7D8AF50835EB4/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 830px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27082iFA14BC05A0DF0CFA/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 04 Jan 2019 09:32:09 GMT mhmservice 2019-01-04T09:32:09Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772299#M983262 <P>Hi all</P> <P>&nbsp;</P> <P>I am currently building a proof of concept with the following topology. It is all built inside a single VMware ESXI host.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27020i9DCFC36BDC194BBD/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>I intend to configure a full mesh VPN between all four FTD devices to route between the LAN subnets (10.1.0.0/24,10.2.0.0/24,10.3.0.0/24,10.4.0.0/24)</P> <P>&nbsp;</P> <P>I have a basic "hide" NAT rule setup from inside to outside on each FTD and there is an "any-any" access control policy in place on all the firewalls to rule that out as an issue</P> <P>&nbsp;</P> <P>PC 10.2.0.111 can ping the outside interface of FTD1 so I know the connectivity through R1 is working. The FMC can also connect to FTD2,FTD3,FTD4 management interfaces over R1 as they have been configured using this connection</P> <P>&nbsp;</P> <P>The issue is I can't seem to ping the sites from each other, e.g. PC 10.2.0.111 is unable to ping 10.1.0.111. I have checked windows firewall is turned off on the VMs.</P> <P>&nbsp;</P> <P>Here is the full mesh VPN config page from FMC:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27021i1FB281DF9A77BA62/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span>I thought the problem was the NAT policy so I configured as follows to try to get connectivity to work on FTD1:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27025i13299190AC2D0269/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>And on FTD2:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27026i3C3E3C9A95E677A5/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>Show crypto ikev2 sa on FTD1 shows the tunnel (all other FTDs show similar)<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 723px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27022i14090D2BFC51AD7A/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>I ran a trace and it says the traffic is allowed:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27027i2AA327955052CFA0/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>Does anyopne have more tips on how to troubleshoot this as i'm really stuck</P> <P>&nbsp;</P> <P>All help appreciated</P> <P>&nbsp;</P> Fri, 21 Feb 2020 16:37:38 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772299#M983262 mhmservice 2020-02-21T16:37:38Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772303#M983266 <P>Do you have access control policies to permit the traffic?</P> Thu, 03 Jan 2019 15:57:50 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772303#M983266 matty-boy 2019-01-03T15:57:50Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772335#M983270 <P>I have the following policy on all FTD devices in place in an attempt to troubleshoot this:<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27031i39BB519B602CEDB3/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 03 Jan 2019 16:26:31 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772335#M983270 mhmservice 2019-01-03T16:26:31Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772336#M983273 <P>run a packet tracer to verify it first.</P><P>least it will tell you where the packet the droping</P> Thu, 03 Jan 2019 16:43:43 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772336#M983273 Sheraz.Salim 2019-01-03T16:43:43Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772367#M983277 <P>I ran the following packet tracer and it says "DROP" for ipsec-tunnel-flow but im not sure what specifically that means</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27033i7A64114868F1A548/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> Thu, 03 Jan 2019 16:50:55 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772367#M983277 mhmservice 2019-01-03T16:50:55Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772381#M983282 <P>i think you packet trace does not give accurate result in terms of vpn.</P><P>can you sent constant ping from Site1_Lan to Site2_Lan in mean time check if phase 1 and phase 2 come up.</P><P>&nbsp;</P><P>if you have access to CLI on FTD give command</P><P>&nbsp;</P><P>show crypto ikev1 sa</P><P>show crypto ipsec sa</P><P>&nbsp;</P> Thu, 03 Jan 2019 17:14:27 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772381#M983282 Sheraz.Salim 2019-01-03T17:14:27Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772756#M983285 <HR /> <P>Sure</P> <P>&nbsp;</P> <P>FTD1:</P> <P><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 649px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27077i4F7E32F85A7A8CE4/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 680px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27078i96AD9A03CFEE24B8/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 652px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27079iDCF52AE400807E53/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>FTD2:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 656px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27080iD78BA4316E760DE1/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 879px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27081i3BA7D8AF50835EB4/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 830px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27082iFA14BC05A0DF0CFA/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 04 Jan 2019 09:32:09 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772756#M983285 mhmservice 2019-01-04T09:32:09Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772758#M983287 <P>can you please double check if the routing is properly in place. i can see the encap and no decap. most probably it could be a routing issue.</P> Fri, 04 Jan 2019 09:35:01 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772758#M983287 Sheraz.Salim 2019-01-04T09:35:01Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772774#M983289 <P>I think that it is:</P> <P>&nbsp;</P> <P>FTD1:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 665px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27088i13BB88756395650E/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>FTD2:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 665px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/27089i8DA115BF1372C83A/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Fri, 04 Jan 2019 09:56:18 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772774#M983289 mhmservice 2019-01-04T09:56:18Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772808#M983290 <P>Double check that FTD2 PC has FTD2 inside interface as its gateway. That's the routing that is suspect given your output that you shared.</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 04 Jan 2019 11:15:08 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3772808#M983290 Marvin Rhoads 2019-01-04T11:15:08Z https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3775148#M983291 <P>Finally fixed it ... subnet mask on PC 10.2.0.111 was set to 255.0.0.0 not 255.255.255.0 ...</P> <P>&nbsp;</P> <P>Stupid mistake on my part, but a mystery solved!</P> <P>&nbsp;</P> <P>Thanks for the hints</P> Tue, 08 Jan 2019 15:04:47 GMT https://community.cisco.com/t5/network-security/help-with-troubleshooting-firepower-ftd-vpn-not-passing-traffic/m-p/3775148#M983291 mhmservice 2019-01-08T15:04:47Z