04-26-2018 01:25 AM - edited 02-21-2020 07:40 AM
Hi
I'm using Cisco FTD 2120 and managed by FMC. I have site-to-site VPN between two sites. Site A(10.60.76.0) is an HQ and Site B(192.168.1.0) is a branch. In Site B i can ssh to Site A server IP address 10.60.76.31 but i cannot access secure web server ip 10.60.76.31. how to i capture the packet to find out any drop in FTD? or anything i can do to trace or find out the packet had being dropped.
Thank you
Regards,
Kenji Tan
04-26-2018 01:28 AM
on your ftd go to analysis>connections>events and do a search based on initiator or responder IP
04-26-2018 05:13 AM
04-26-2018 05:51 AM
Ok so you know the tunnel is up, you see the remote traffic coming in. I d spin up wireshark on your webserver or run a tcpdump other wise and see if the traffic is actually reaching the web server on port 443
04-26-2018 12:58 PM
Could also configure a debug or capture at the HQ to see if the traffic is leaving the inside interface.
FTD CLI issue the command system support firewall-engine-debug enter ther server IP and client IP leave the protocol blank unless you really need to be that specific. then run a test. and see if there is any output on the debug. You might be hitting a rule in Security Intelligence which will be shown here.
You can also go into system support diagnostic-cli and run a capture between the two IPs. This will not show the Snort actions as the debug command will.
04-26-2018 10:13 PM
Hi
i issued the 'system support firewall-engine-debug' with server IP 10.60.76.31 and client IP 192.168.1.163 with protocol I leave it blank. I also ran the 'system support diagnostic-cli' with 'capture cap1 interface Internal match ip host 10.60.76.31 host 192.168.1.163'. I still not able to find out where the issue. the page is still not loaded in client machine 192.168.1.163.
Thanks
04-26-2018 11:25 PM
In the packet capture we see traffic flowing in both directs and nothing in the debug indicates a drop on the FTD either.
What is the URL you are trying to access the website with?
Are you able to access this URL from a PC on the same subnet as the webserver?
What device is used to terminate the VPN at the remote site?
04-26-2018 11:49 PM
Hi
What is the URL you are trying to access the website with?
i'm using the ip address "https://10.60.76.31" which is a Cisco FMC using the browser (IE, chrome).
Are you able to access this URL from a PC on the same subnet as the webserver?
i have no issue to access from Server "10.60.76.28" to the Cisco FMC "10.60.76.31"
What device is used to terminate the VPN at the remote site?
is a Watchguard M200
Thank
04-26-2018 11:59 PM
Hi
I change the Default Action in Access Control to 'Intrusion Prevention: Connectivity Over Security' from 'Access Control: Block All Traffic'. after the changed secure webpage https://10.60.76.31 can be loaded in the client machine 192.168.1.163. how do i check from here if i would to use 'Access Control: Block All Traffic' as default Action.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide