Solved: Re: Cisco FMC - VPN traffic is not matching the rules - Eventviewer Empty

IvanAlvarenga25979 · ‎07-14-2021

Hi Guys,

I noticed that all the HITS COUNTS of all OUTSIDE rules are empty. I enabled LOGGING but I can't even see the traffic coming from Outside to Inside

Outise > IPSEC Tunnel > Inside

Any ideas why

thanks

IvanAlvarenga25979 · ‎07-14-2021

The issue was the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)

it's disabled by default on the Cisco FDM, but enabled by default on the Cisco FMC.

View solution in original post

Rob Ingram · ‎07-14-2021

@IvanAlvarenga25979

Has the VPN been established? Run the command "show crypto ipsec sa" from the CLI of the FTD and check the encaps and decaps counters are increasing.

If the counters are not increasing, do you have a NAT exemption rule, that ensures traffic destined over the VPN is not unintentially translated.

Please provide a screenshot of your Access Control policies, related to the VPN acces.

IvanAlvarenga25979 · ‎07-14-2021

Hi Rob,

The VPN is established and working fine. The only issue is that I can't see any hits from Outside to Inside. I can't even see the VPN traffic from Outside to Inside

I have NAT from INSIDE to OUTSIDE on both ends

IvanAlvarenga25979 · ‎07-14-2021

The issue was the Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)

it's disabled by default on the Cisco FDM, but enabled by default on the Cisco FMC.