cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
55
Helpful
16
Replies

FMC/FTD VPN issue

benolyndav
Enthusiast
Enthusiast

Hi

Got x2 2100 FTD's managed by same FMC and got the VPN up between the two but oneside has no decaps any ideas, ? there is no NAT configured do I need it as some docs suggest because it was working before one FTD got replaced due to failure with no NAT?

 

Thanks

1 Accepted Solution

Accepted Solutions

Yes you tottaly right change order of vpn can be workaround for your case.

And you are so welcome.

View solution in original post

16 Replies 16

MHM Cisco World
Advisor
Advisor

Hi

The traffic isnt matching any other NAT rule 

do you have NAT overload for local LAN ??

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@benolyndav is routing setup correctly from the local switch, to route traffic via the FTD and over the VPN?

Can you provide the output of "show crypto ipsec sa" from both sides, just so we can confirm.

You'd only need a NAT exemption rule if you had dynamic PAT/NAT setup, which would unintentially translate the VPN traffic. Sounds like you don't need a NAT rule.

 

show crypto ipsec sa peer 81.0.89.50

peer address: 81.0.89.50

    Crypto map tag: CSM_INTERNET_map, seq num: 4, local addr: 81.136.195.226

 

      access-list CSM_IPSEC_ACL_4 extended permit ip host 192.168.99.200 host 172.16.99.200

      local ident (addr/mask/prot/port): (192.168.99.200/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (172.16.99.200/255.255.255.255/0/0)

      current_peer: 81.0.89.50

 

 

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 281, #pkts decrypt: 281, #pkts verify: 281

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 81.136.195.226/500, remote crypto endpt.: 81.0.89.50/500

      path mtu 1500, ipsec overhead 94(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: BF622F97

      current inbound spi : C8AD9DB1

 

    inbound esp sas:

      spi: 0xC8AD9DB1 (3366821297)

         SA State: active

         transform: esp-aes-256 esp-sha-512-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

         slot: 0, conn_id: 37362, crypto-map: CSM_INTERNET_map

         sa timing: remaining key lifetime (kB/sec): (3916785/17727)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xBF622F97 (3210882967)

         SA State: active

         transform: esp-aes-256 esp-sha-512-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

         slot: 0, conn_id: 37362, crypto-map: CSM_INTERNET_map

         sa timing: remaining key lifetime (kB/sec): (4147200/17727)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

show crypto ipsec sa peer 81.136.195.226

peer address: 81.136.195.226

    Crypto map tag: CSM_INTERNET_map, seq num: 1, local addr: 81.0.89.50

 

      access-list CSM_IPSEC_ACL_1 extended permit ip host 172.16.99.200 host 192.168.99.200

      local ident (addr/mask/prot/port): (172.16.99.200/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (192.168.99.200/255.255.255.255/0/0)

      current_peer: 81.136.195.226

 

 

      #pkts encaps: 281, #pkts encrypt: 281, #pkts digest: 281

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 281, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 81.0.89.50/500, remote crypto endpt.: 81.136.195.226/500

      path mtu 1500, ipsec overhead 94(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: C8AD9DB1

      current inbound spi : BF622F97

 

    inbound esp sas:

      spi: 0xBF622F97 (3210882967)

         SA State: active

         transform: esp-aes-256 esp-sha-512-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

         slot: 0, conn_id: 28134, crypto-map: CSM_INTERNET_map

         sa timing: remaining key lifetime (kB/sec): (4101120/17542)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xC8AD9DB1 (3366821297)

         SA State: active

         transform: esp-aes-256 esp-sha-512-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

         slot: 0, conn_id: 28134, crypto-map: CSM_INTERNET_map

         sa timing: remaining key lifetime (kB/sec): (4147185/17542)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

@benolyndav What's the topology, is the FTD the default gateway for all traffic? Do you have multiple WAN interfaces?

Run packet-tracer from the CLI to simulate traffic from 192.168.99.200 to 172.16.99.200, provide the output for review.

I assumed you meant there is no other NAT rules, if there are then you'd probably need a NAT exemption rule to ensure traffic between the VPN host/network is not unintentially translated.

Hi

The FTD is split into sveral sub-interfaces at both sides, the server is .200 and thhe GW for the server is .1 there is a route pointing out the internet interface to the server on each side, we nevr had any nat in place for this traffic and also why is one sides traffic recived at the other side but not vice versa? nat rules routes are all the same both sides

Thanks

CSM_INTERNET_map, seq num: 4 <<- seq num 4, so there are multi IPsec L2L, can you double check ACL for each L2L

Hi

Yes I have checked the ACL's and there is an ACL above which allows the .200 address to any across a different L2L is it possible the traffic is matching on that ACL, ??

and do you agree no NAT rule required as we never had one previously for this.??

Thanks

Yes I have checked the ACL's and there is an ACL above which allows the .200 address to any across a different L2L is it possible the traffic is matching on that ACL, ?? Yes 

and do you agree no NAT rule required as we never had one previously for this.?? let change ACL from any to remote LAN then see if we need NAT or not.

Hi

I removed the server from the group which was matching on the ACL above and all looks good now seeing encaps/dcaps, I'm thinking the only way to fix permanently is to delete both vpns but recreate the latter one first so the acl is above and not below the any ipv4 it was matching ? 

Thanks for the ACL tip i had checked earlier but wasnt thorough enough.

Yes you tottaly right change order of vpn can be workaround for your case.

And you are so welcome.

@benolyndav the problem that may occur is if the other tunnel with the overlapping networks is established first (before this tunnel you are troubleshooting), then this probably may occur again.

Hi Rob

Yes absolutely I made sure the first tunnel had established before I configured the second

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: