Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
473
Views
1
Helpful
9
Replies

FTD 7.3.x <-> Azure VPN , tips ? tunnel up, no traffic...

Eddie in.Mass
Level 1
Level 1

‎09-13-2024 05:10 AM

good day, in-between TAC support renewal so can't open a case on this , so figured i'd ask of The Community

are there any add'l steps for Azure Gateway-side for traffic-flow thru FTD-based s2s ikev2 tunnel ?

got the Tunnel 'up' but no traffic .... 

have seen some few articles commenting on the azure powershell commands needing to get applied in THAT side of the fence.

checking if any recent Azure gateway <-> FTD (via fmc) implementations done successfully recently?

thanks for any feedback / links

Eddie

0 Helpful
9 Replies 9

Eddie in.Mass
Level 1
Level 1

‎09-13-2024 05:12 AM

good day, in-between TAC support renewal so can't open a case on this , so figured i'd ask of The Community

are there any add'l steps for Azure Gateway-side for traffic-flow thru FTD-based s2s ikev2 tunnel ?

got the Tunnel 'up' but no traffic .... 

have seen some few articles commenting on the azure powershell commands needing to get applied in THAT side of the fence.

checking if any recent Azure gateway <-> FTD (via fmc) implementations done successfully recently?

thanks for any feedback / links

Eddie

0 Helpful

MHM Cisco World
VIP
VIP
In response to Eddie in.Mass

‎09-13-2024 05:27 AM

Tunnel up that excellent 

No traffic moslty you need NAT exempt (no-NAT)

And check you select bypass ACP or run ACP allow traffic from IN to OUT and OUT to IN

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-13-2024 10:46 AM

As other mention' do you use ikev2 policy or route based vpn ?

MHM

0 Helpful

buffkata
Level 1
Level 1

‎09-13-2024 08:15 AM

Also make sure both sides are set for Route based. I have seen this with Azure - manualy go over the VPN configuration in Azure and make sure Route based is in use in Azure or  vise-versa.  

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-13-2024 10:38 AM - edited ‎09-13-2024 10:39 AM

Use route-based (VTI) as noted by @buffkata . That way there's no need to mess with NAT or NAT exemption. If the IKEv2 SA is up with a VTI on the FTD side, check the IPsec SAs for encaps and decaps. There we look for rough parity as traffic in means traffic should return. If encaps are not incrementing, make sure the traffic is arriving at the firewall (packet capture) and being send to the tunnel by the config (packet-tracer tool).

Oh - and move to 7.4.2 when you can. 7.3 is a short term release and almost never recommended for use in the long term.

0 Helpful

Eddie in.Mass
Level 1
Level 1
In response to Marvin Rhoads

‎09-13-2024 12:42 PM

ok, thnx for the feedback, did a Route-based VTI method, added a Static Route to the Remote-inside(protected)network segments , to use the VTI interface.   and now not even getting the Tunnel to establish , pings / events aren't showing that traffic trying to go thru the Azure-RB-based policy flow (where it WAS during Policy-Based method, at least) .  thoughts ? thnx 

0 Helpful

Eddie in.Mass
Level 1
Level 1

‎09-13-2024 11:22 AM

is POLICY-Based / IKE v2 setup , currently . thnx all . 

yeah, def considering move to 7.4.2 , once TAC contract back in place and i can get HELP if needed...(as i have the sw already) 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Eddie in.Mass

‎09-13-2024 11:33 AM

Show crypto ipsec sa 

If the aws selector is 0.0.0.0 and your side selector is x.x.x.x

Then you run policy based and aws use route based vpn

MHM

0 Helpful

Aref Alsouqi
VIP
VIP

‎09-24-2024 02:41 AM

If you could please share your sanitized configs of both sides for review.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card