Solved: Re: FMC/FTD VPN issue

benolyndav · ‎11-24-2022

Hi

Got x2 2100 FTD's managed by same FMC and got the VPN up between the two but oneside has no decaps any ideas, ? there is no NAT configured do I need it as some docs suggest because it was working before one FTD got replaced due to failure with no NAT?

Thanks

MHM Cisco World · ‎11-24-2022

Yes you tottaly right change order of vpn can be workaround for your case.

And you are so welcome.

View solution in original post

MHM Cisco World · ‎11-24-2022

you need NAT exemption not NAT traffic.
so sure you need to deal with NAT

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/215875-configure-anyconnect-vpn-client-on-ftd.html

benolyndav · ‎11-24-2022

Hi

The traffic isnt matching any other NAT rule

MHM Cisco World · ‎11-24-2022

do you have NAT overload for local LAN ??

Rob Ingram · ‎11-24-2022

@benolyndav is routing setup correctly from the local switch, to route traffic via the FTD and over the VPN?

Can you provide the output of "show crypto ipsec sa" from both sides, just so we can confirm.

You'd only need a NAT exemption rule if you had dynamic PAT/NAT setup, which would unintentially translate the VPN traffic. Sounds like you don't need a NAT rule.

benolyndav · ‎11-24-2022

show crypto ipsec sa peer 81.0.89.50

peer address: 81.0.89.50

Crypto map tag: CSM_INTERNET_map, seq num: 4, local addr: 81.136.195.226

access-list CSM_IPSEC_ACL_4 extended permit ip host 192.168.99.200 host 172.16.99.200

local ident (addr/mask/prot/port): (192.168.99.200/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.16.99.200/255.255.255.255/0/0)

current_peer: 81.0.89.50

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 281, #pkts decrypt: 281, #pkts verify: 281

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.136.195.226/500, remote crypto endpt.: 81.0.89.50/500

path mtu 1500, ipsec overhead 94(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: BF622F97

current inbound spi : C8AD9DB1

inbound esp sas:

spi: 0xC8AD9DB1 (3366821297)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 37362, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (3916785/17727)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xBF622F97 (3210882967)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 37362, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (4147200/17727)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

show crypto ipsec sa peer 81.136.195.226

peer address: 81.136.195.226

Crypto map tag: CSM_INTERNET_map, seq num: 1, local addr: 81.0.89.50

access-list CSM_IPSEC_ACL_1 extended permit ip host 172.16.99.200 host 192.168.99.200

local ident (addr/mask/prot/port): (172.16.99.200/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.99.200/255.255.255.255/0/0)

current_peer: 81.136.195.226

#pkts encaps: 281, #pkts encrypt: 281, #pkts digest: 281

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 281, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 81.0.89.50/500, remote crypto endpt.: 81.136.195.226/500

path mtu 1500, ipsec overhead 94(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: C8AD9DB1

current inbound spi : BF622F97

inbound esp sas:

spi: 0xBF622F97 (3210882967)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 28134, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (4101120/17542)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xC8AD9DB1 (3366821297)

SA State: active

transform: esp-aes-256 esp-sha-512-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 21, IKEv2, }

slot: 0, conn_id: 28134, crypto-map: CSM_INTERNET_map

sa timing: remaining key lifetime (kB/sec): (4147185/17542)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Rob Ingram · ‎11-24-2022

@benolyndav What's the topology, is the FTD the default gateway for all traffic? Do you have multiple WAN interfaces?

Run packet-tracer from the CLI to simulate traffic from 192.168.99.200 to 172.16.99.200, provide the output for review.

I assumed you meant there is no other NAT rules, if there are then you'd probably need a NAT exemption rule to ensure traffic between the VPN host/network is not unintentially translated.

benolyndav · ‎11-24-2022

Hi

The FTD is split into sveral sub-interfaces at both sides, the server is .200 and thhe GW for the server is .1 there is a route pointing out the internet interface to the server on each side, we nevr had any nat in place for this traffic and also why is one sides traffic recived at the other side but not vice versa? nat rules routes are all the same both sides

Thanks

MHM Cisco World · ‎11-24-2022

CSM_INTERNET_map, seq num: 4 <<- seq num 4, so there are multi IPsec L2L, can you double check ACL for each L2L

benolyndav · ‎11-24-2022

Hi

Yes I have checked the ACL's and there is an ACL above which allows the .200 address to any across a different L2L is it possible the traffic is matching on that ACL, ??

and do you agree no NAT rule required as we never had one previously for this.??

Thanks

MHM Cisco World · ‎11-24-2022

Yes I have checked the ACL's and there is an ACL above which allows the .200 address to any across a different L2L is it possible the traffic is matching on that ACL, ?? Yes

and do you agree no NAT rule required as we never had one previously for this.?? let change ACL from any to remote LAN then see if we need NAT or not.

benolyndav · ‎11-24-2022

Hi

I removed the server from the group which was matching on the ACL above and all looks good now seeing encaps/dcaps, I'm thinking the only way to fix permanently is to delete both vpns but recreate the latter one first so the acl is above and not below the any ipv4 it was matching ?

Thanks for the ACL tip i had checked earlier but wasnt thorough enough.

MHM Cisco World · ‎11-24-2022

Yes you tottaly right change order of vpn can be workaround for your case.

And you are so welcome.

Rob Ingram · ‎11-24-2022

@benolyndav the problem that may occur is if the other tunnel with the overlapping networks is established first (before this tunnel you are troubleshooting), then this probably may occur again.

benolyndav · ‎11-24-2022

Hi Rob

Yes absolutely I made sure the first tunnel had established before I configured the second

Thanks