Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
439
Views
2
Helpful
3
Replies

Firepwoer 1140 won't forward IP, but wiull forward icmp

johnchrapkowski
Level 1
Level 1

‎12-22-2023 12:16 AM - edited ‎12-22-2023 12:20 AM

Me and my coworker have been working on this problem all day.  We have a firepower that is our internet connection and is connected to two internal switches.  A cisco 2960LSM and a juniper 4200.  There is a Juniper srx345 firewall connected to the juniper switch with a VPN. The firepower is acting as dhcp server.  If I plug into the cisco switch, I cannot ssh to my VPN, but I can ping and traceroute.  Both seem normal/good.  if I plug into the juniper, I can.  If add a static route on my desktop to go directly to the juniper instead of my default route (which is the cisco firepower), I can ssh. The Firepower seems to certainly be where the packet is dropped. Did some packet captures and it seems like once my side sends the SYN with a sequence number, the packets coming back are not using the proper sequence number.  If I set the juniper to not care about sequence numbers, I still can't connect.  The packets show my desktop side sending a reset every time because it's not seeing the syn,ack from the ssh server, which eventually times out. We ran packet-tracer and nothing is blocking ssh.  It might be worth noting I have another VPN directly into the firepower that works fine.  I'm hoping someone has experienced this and knows where to look.

Labels:
3 Replies 3

MHM Cisco World
VIP
VIP

‎12-22-2023 12:36 AM

Share packets tracer 

MHM

balaji.bandi
Hall of Fame
Hall of Fame

‎12-22-2023 04:47 AM

if you conneced to cisco switch IP address same as Juniper switch ?

give some example - what is end device IP and what gateway you put that not working, what gateway you put that working ?

how is your FTD default route back internal side ?

provide some diagram with IP information for us to understand. ?

I cannot ssh to my VPN  - is this internal one or external one ? how is the traffic flow to this device ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

johnchrapkowski
Level 1
Level 1
In response to balaji.bandi

‎12-22-2023 08:02 AM - edited ‎12-22-2023 08:03 AM

Thank you for responding.  I was trying to be clear in my description, but it looks like I failed.

if you conneced to cisco switch IP address same as Juniper switch ? No, they each have their own uniqe IP address 

give some example - what is end device IP and what gateway you put that not working, what gateway you put that working ?

I cannot ssh from any computer plugged into cisco switch but I can from any computer plugged into juniper switch all machine IPs are on the 10.10.259.0/24 network all machines have default gateway 10.10.249.1 (this is the firepower)

how is your FTD default route back internal side ? My default route on the ftd is to the internet, but I have defined a route to the VPN network on the ftd

provide some diagram with IP information for us to understand. ?

I cannot ssh to my VPN  - is this internal one or external one ? how is the traffic flow to this device ? The internal one

I hope I answered the questions as needed, I don't think I always understood what you wanted

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card