Cisco ASA and Firepower IPSec tunnel

zeljkosan · ‎12-16-2024

Hello team,

I have one smaller issue (at least I think that) in IPSec tunnel between

ASA 5585 (9.12(4)67) and Firepower 2110 (do not know version, but it is 7.0.0+)

So tunnel is up, and first phase is ok. But we get constant complains about traffic between two hosts.

Two hosts on our side (for easier explain IP:10.77.77.101/102) communicate with 192.168.77.77 address on other side.

In access list permission is between exact these address (IP to IP): 10.77.77.101 - 192.168.77.77 , 10.77.77.102 - 192.168.77.77.

But if we do not initate session from our side , their side can not reach our side, and after we for example PING their host everything works out.

So they complain that our host is rejecting their host? Can be that problem?

Other networks between them and us are working fine.

My thing was to ask them:

- to make traceroute in two scenarios: working and non working networks and see if they have same path

- they say that their host is in some kind of cloud (maybe it is behind some load balancer or something else) - they make workaround : put in hosts file our IP address, and it works

- capture traffic when they send from their host. For example, on my side, I send ping from PC , and with command: show crypto ipsec sa peer , check on ASA if I have encaps/decaps between two address. I do not know what command or gui command is for Firepower 2110- can you assist with command on Fpr

Generally any ideas would help.

Thanks

MHM Cisco World · ‎12-16-2024

what is IKE ver you use ?

MHM

Rob Ingram · ‎12-16-2024

@zeljkosan you said "But if we do not initate session from our side , their side can not reach our side, and after we for example PING their host everything works out. "

Is your side set to initiate/originate the tunnel only or their side set to answer only? Get the peer to check their configuration and from your FTD check you are set to bidirectional https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/vpn-s2s.html

From the FTD go to the CLI diagnostics CLI and run "show crypto ipsec sa" - from there you can check the encap|decap counters. There is no VPN stats in the FMC GUI on version 7.0.0, this was introduced in either 7.3 or 7.4

zeljkosan · ‎12-16-2024

Hello,

crypto ikev2 policy 7
encryption aes-256 aes
integrity sha256 sha
prf sha256 sha
lifetime seconds 86400

Our side is ASA 5585, on their Firepower 2110 with FTD. Generally, I have issues that they constantly complain that is on our side (ASA 5585) problem.

MHM Cisco World · ‎12-16-2024

So it IKEv2
try use EEM or IP SLA from any device behind ASA to always have traffic to send via tunnel

MHM

Rob Ingram · ‎12-16-2024

@zeljkosan as well as my other suggestions above, if initiator does not have PFS configured or a smaller PFS group than the responder, the connection will fail. Which could be another reason why one side could bring up the tunnel and not the other peer. Check PFS is configured the same on both peers.

Aref Alsouqi · ‎12-16-2024

Is you ASA sitting behind a NAT device?

zeljkosan · ‎12-16-2024

Hello , ASA is doing NAT, but we have static public IP.

Rob, will check with other side with Firepower device

Aref Alsouqi · ‎12-17-2024

Thanks for confirming this. I thought the external interface of the firewall was sitting behind a NAT device, in that case the issue would've been potentially related to some NAT-T missing port mapping.

zeljkosan · ‎02-04-2025

Hello team,

unfortunately, I still do not know config of other side. We provided them VPN access to devices, so probably I won't get any info about it.

Br, thanks for help.