Solved: FMC displays working IKEv2 tunnel DOWN

swscco001 · ‎12-13-2023

Hello everybody,

our customer is using FMCv 7.2.5.1 and (two) Firepower 1120 (7.0.0.1)
for their S2S tunnels (see screen dump).

We changed a IKEv1 to IKEv2 tunnel (peer-IP 217.6.229.234).

In the VPN > Site To Site overview this working tunnel was displayed as
DOWN (see screen dump).

In the VPN > Site To Site Monitoring the tunnel is correctly displayed
as UP witn active sessions (see screen dump).

In the VPN > Site To Site there is no error message for this tunnel
(see screen dump).

What is the reason for this wrong indication in the Site To Site overview.
The customer feels unsave at such indication because there is a hospital
connected.

This seems to be a general issue becasue other working tunnels were
indicated ar orange.

Thanks a lot for every hint.

Bye
Rene

Marvin Rhoads · ‎11-01-2024

The deploy had to affect the S2S VPN that is giving issues.

I checked the TAC case notes. We hit one of these bugs, the work-around in the first one fixed the issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf01954

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd61082

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf86519

View solution in original post

MHM Cisco World · ‎12-13-2023

Can I see exactly the error message

MHM

MHM Cisco World · ‎12-13-2023

I dont see issue'

You meaning SA delete issue?

It s2s ikev2 so there is child sa which add or remove.

Check this point' access to ftd and see sa use currently for specific subnet' if there is no sa then there is issue if there is new child sa then it normal.

MHM

swscco001 · ‎12-16-2023

Hi MHM,

it's weired for the customer to see orange and red IKEv1- and IKEv2-tunnels even is the partners can
communicate over these tunnels without problems and the site-to-site monitoring displays green
operation status.

Is there a document how to troubleshoot such issues?

Thanks a lot!

Bye
R.

MHM Cisco World · ‎12-17-2023

Hi
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html

the only point left is under the Tunnel status Distribution do you config VPN using ISP backup or not ?
MHM

swscco001 · ‎01-02-2024

Hi MHM,

I wish you a Happy New Year!

We did not configure a ISP backup for the tunnels.

In der given link I did read the following:

Tunnel Status Table—A table listing the site to site VPNs configured using the FMC
Tunnel Status Distribution Chart—Aggregated status of the tunnels in a donut graph.

It is misleading if functioning tunnels are displayed in orange or red (DOWN) under
"Tunnel Status Distribution".

The customer asked: What is the difference between the VPN > Site To Site "Tunnel Status Distribution"
and the VPN > Site To Site Monitoring "Status"?

Thanks a lot!

R.

MHM Cisco World · ‎01-03-2024

thanks alot
Happy new year friend

regarding tunnel issue can I see the config of tunnel
MHM

Marvin Rhoads · ‎01-02-2024

I have seen some inconsistent displays myself on a customer's FMC 7.4.1 - tunnel status shows no active data while VPN is up and passing data.

I've opened a TAC case just today and am waiting for the engineer to provide assistance.

swscco001 · ‎01-11-2024

Hi Marvin,

a Happy New Year for you!

Seems that this is a cosmetic bug of several FMC releases.

Do you already have any reply from the TAC?

Thanks a lot!

Bye
R.

Marvin Rhoads · ‎01-15-2024

My TAC case has been referred to the developers. The TAC engineer had initially thought a resolved bug related to the old VPN monitoring page might apply but it did not. So at this point we are waiting on the developers to reply.

Danny Dulin · ‎10-31-2024

Hi Marvin.

Did you ever get a resolution to this? I just upgraded FMC to 7.2.9 and experiencing the same issue. Traffic is passing without issue, but FMC shows Tunnel Inactive.

Marvin Rhoads · ‎11-01-2024

@Danny Dulin There ended up being a couple of issues. One was to make sure that the Health Monitoring policy for VPN is enabled. (System > Health Policy > Edit > VPN > VPN Statistics) This is a newer option that may get deselected across an upgrade.

Danny Dulin · ‎11-01-2024

Thanks Marvin, but that wasn't the issue.

Marvin Rhoads · ‎11-01-2024

One other thing the TAC advised trying was to make a minor change in the VPN topology (e.g. add a character to the topology name) - just enough to trigger an pending deployment. Then deploy the change to "force" the endpoint(s) to start sending the requisite logs.

Danny Dulin · ‎11-01-2024

Thank you.

Was your tunnels working despite the GUI show otherwise?