FMC/FTD VPN Question

benolyndav · ‎04-13-2022

HI

If the other end of the VPN isnt allowing an IP address could it cause the Drop below, I run a Packet-Tracer and it says VPN drop, the rule for our IP address is identical with exsiting VPN's I'm scratching my head,

so do both peers ahve to match or is the packet-tracer just a local test.??

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Thanks

Rob Ingram · ‎04-13-2022

@benolyndav if your end allows the traffic, I would have expected packet-tracer to permit and not drop.

What was the rest of the packet-tracer output? If you provide the configuration we can probably work it out.

benolyndav · ‎04-13-2022

Hi Rob

Any Idea on the below this traffic is in a pre-filter ??

Action drop

Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aaad554694 flow (need-ike)/snp_sp_action_cb:1575

Rob Ingram · ‎04-13-2022

@benolyndav can you send me a PM with the full output so I can get a better understanding?

benolyndav · ‎04-13-2022

Sent Rob

rhuysmans · ‎04-13-2022

Hi,

not sure if this will help but when running a packet tracer to check a VPN, you'll need to run the packet tracer twice. The first time it always come up with a Drop but if you run it again, and the VPN has the correct SA etc on both sides, then the packet tracer will show an Allow. You'll even see 1 encrypted packet in the show crypto ipsec sa for that VPN. If the VPN is not configured correctly on either side then the VPN won't pop up anyway and the packet tracer will show a Drop, as the SA won't be able to stand up.

Cheers.

benolyndav · ‎04-14-2022

Hi

Thanks for this is this documented anywhere.?

rhuysmans · ‎04-16-2022

Not that I'm aware, just my experience with the many different customers I look after. I haven't looked for a document so it's possible that it could be documented somewhere.