cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
cancel
1186
Visitas
3
ÚTIL
9
Respuestas

Cisco Firepower 1010 Threat Defense vpn is down after it works a long

oelagy
Level 1
Level 1

hello,
I need help. I have configured a site-to-site vpn for a few days and it has stopped working, and the vpn is down. I'm trying to get it up generating traffic and I can't get it up in any way. Do you know what the problem could be, nothing has been changed at the configuration level.

thank you

 

9 RESPUESTAS 9

Hi

A VPN could not be down without any change, have you generated interesting traffic like a ping between LANs?

Have you verified the communication between the peers through pings?

Check the Firepower image version, it could be a bug and an upgrade could be required.

Do you have any NAT configured?

The following commands can be useful to verify the VPN status:

show crypto isakmp (or ikev1) sa
show crypto ipsec sa

From the FTP excute: system support firewall-engine-debug, it will help you to verify if any firewall rule is affecting.

Hope it is useful.

Regards.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

hello,

I have generated traffic between LAN, it continues the same without getting up

Also when I ping it from the firewall itself I don't get to the other end, I attach the screenshots:

> ping 195.64.187.247
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.64.187.247, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/30 ms

NAT: I have NAT configured, it worked correctly, until it suddenly stopped working, because the vpn timed out due to lack of traffic between both sites

nat (inside_2,outside) source static local_net local_net_nat


- when i run is command for firewall not responding:

> system support firewall-engine-debug

Please specify an IP protocol: icmp

Please specify a client IP address: 46.35.117.160

Please specify a server IP address: 195.64.187.247

Monitoring firewall engine debug messages

^C Caught interrupt signal exiting.

- Regarding the update, it is in its latest version

oelagy_1-1681423734592.png

 

 

> show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

There are no IKEv2 SAs


I launch a packet-tracer to the destination lan and it stays at the next point: packet_trace_inside.txt

Thank you.

 

Also when I ping it from the firewall itself I don't get to the other end, I attach the screenshots:

> ping 195.64.187.247
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.64.187.247, timeout is 2 seconds:
!!!!!

That meaning you can ping tunnel head or not?

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside_2,outside) source static local_net local_net_nat_telrad
Additional Information:
Static translate 192.100.9.94/0 to 10.77.158.94/0
 Forward Flow based lookup yields rule:
 in  id=0x2acb229d6ea0, priority=6, domain=nat, deny=false
        hits=46443, user_data=0x2acb229d6110, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.100.9.0, mask=255.255.255.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

This indicates the Traffic NATing with this NAT statement 

Ping from local to remote side and check hit count of this NAT.

Hi,

Yes, this corresponds to another tunnel that I have, which in this case is: Static translate 192.100.9.94/0 to 10.77.158.94/0
The one I'm having trouble with is:Static translate 192.100.9.94/0 to 10.36.7.94

6 (inside_2) to (outside) source static local_net local_net_nat_telrad
translate_hits = 46586, untranslate_hits = 0
7 (inside_2) to (outside) source static local_net local_net_nat_ingesa
translate_hits = 0, untranslate_hits = 0

oelagy_0-1681425012282.png

 

 

You must use remote LAN instead of any in destiantion of NAT statement.

Do that and generate traffic and I think vpn will be up again 

Hi,

It seems to be working again, thank you very much for your help. So the error was in the NAT declaration, the destination LAN (remote) was not specified.

Thank you very much again

Correct'

You are so so welcome.

Have a nice day 

Great to know it is working, please mark as answered the proper reply. It will be useful for other members.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<