cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1674
Views
8
Helpful
20
Replies

FMC displays working IKEv2 tunnel DOWN

swscco001
Level 3
Level 3

Hello everybody,

our customer is using FMCv 7.2.5.1 and (two) Firepower 1120 (7.0.0.1)
for their S2S tunnels (see screen dump).

We changed a IKEv1 to IKEv2 tunnel (peer-IP 217.6.229.234).

In the VPN > Site To Site overview this working tunnel was displayed as
DOWN (see screen dump).

In the VPN > Site To Site Monitoring the tunnel is correctly displayed
as UP witn active sessions (see screen dump).

In the VPN > Site To Site there is no error message for this tunnel
(see screen dump).

What is the reason for this wrong indication in the Site To Site overview.
The customer feels unsave at such indication because there is a hospital
connected.

This seems to be a general issue becasue other working tunnels were
indicated ar orange.

Thanks a lot for every hint.



Bye
Rene

1 Accepted Solution

Accepted Solutions

The deploy had to affect the S2S VPN that is giving issues.

I checked the TAC case notes. We hit one of these bugs, the work-around in the first one fixed the issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf01954

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwd61082

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf86519

 

View solution in original post

20 Replies 20

Can I see exactly the error message 

MHM

I dont see issue'

You meaning SA delete issue?

It s2s ikev2 so there is child sa which add or remove.

Check this point' access to ftd and see sa use currently for specific subnet' if there is no sa then there is issue if there is new child sa then it normal.

MHM

Hi MHM,

it's weired for the customer to see orange and red IKEv1- and IKEv2-tunnels even is the partners can
communicate over these tunnels without problems and the site-to-site monitoring displays green
operation status.

Is there a document how to troubleshoot such issues?

Thanks a lot!



Bye
R.

Hi
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/vpn-s2s.html

the only point left is under the Tunnel status Distribution do you config VPN using ISP backup or not ?
MHM

1 (1).jpg

1.jpg

Hi MHM,

I wish you a Happy New Year!

We did not configure a ISP backup for the tunnels.

In der given link I did read the following:

  • Tunnel Status Table—A table listing the site to site VPNs configured using the FMC

  • Tunnel Status Distribution Chart—Aggregated status of the tunnels in a donut graph.

 


It is misleading if functioning tunnels are displayed in orange or red (DOWN) under
"Tunnel Status Distribution".

The customer asked: What is the difference between the VPN > Site To Site "Tunnel Status Distribution"
and the VPN > Site To Site Monitoring "Status"?

Thanks a lot!



R.

 

thanks alot
Happy new  year friend 

regarding tunnel issue can I see the config of tunnel 
MHM 

I have seen some inconsistent displays myself on a customer's FMC 7.4.1 - tunnel status shows no active data while VPN is up and passing data.

I've opened a TAC case just today and am waiting for the engineer to provide assistance.

Hi Marvin,

a Happy New Year for you!

Seems that this is a cosmetic bug of several FMC releases.

Do you already have any reply from the TAC?

Thanks a lot!



Bye
R.

My TAC case has been referred to the developers. The TAC engineer had initially thought a resolved bug related to the old VPN monitoring page might apply but it did not. So at this point we are waiting on the developers to reply.

Hi Marvin.

Did you ever get a resolution to this? I just upgraded FMC to 7.2.9 and experiencing the same issue. Traffic is passing without issue, but FMC shows Tunnel Inactive.

@Danny Dulin  There ended up being a couple of issues. One was to make sure that the Health Monitoring policy for VPN is enabled. (System > Health Policy > Edit > VPN > VPN Statistics) This is a newer option that may get deselected across an upgrade.

Thanks Marvin, but that wasn't the issue.

One other thing the TAC advised trying was to make a minor change in the VPN topology (e.g. add a character to the topology name) - just enough to trigger an pending deployment. Then deploy the change to "force" the endpoint(s) to start sending the requisite logs.

Thank you.

Was your tunnels working despite the GUI show otherwise?

Review Cisco Networking for a $25 gift card