Solved: FTD Connection to Syslog Server across S2S VPN

robo764 · ‎04-09-2025

How do I configure a recently deployed FTD to use a Syslog server that is on the other side of a Site to Site VPN connecting that FTD back to our main office? The other network devices at that location are easily able to reach the syslog server, but the FTD doesn't seem capable of accessing anything across the tunnel? I have FMC managing the FTD via the outside/public interface, but I don't seem to be able to reasonably interact with the remote FTD's inside interface. From the remote network, I am able to ping it without any problem, but I'm unable to ping the FTD's inside interface from our main office network. The Site to Site tunnel seems to be operating perfectly fine, and there's no issue with either side accessing the other (this includes the network devices on the remote network successfully reaching our syslog server). The FTD does not seem to be able to connect to the syslog no matter how I configure it in Platform Settings. Since this seems like a very common thing, I feel like there's probably some very simple step I'm missing/overlooking, but I haven't been able to figure it out.

Rob Ingram · ‎04-09-2025

@robo764 what version of FMC/FTD are you running? From 7.4 you can use a loopback to source Syslogs (amongst other services)

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/roadmap/management-center-new-features-by-release.html

View solution in original post

Rob Ingram · ‎04-10-2025

@robo764 even on the latest version 7.7 it seems like you cannot use a loopback as the source interface for FTP. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/interfaces-settings-ifcs-firewall.html#Cisco_Generic_Topic.dita_5df0a52b-88ad-4ed5-9f60-bd97248bc6c8

As default, the egress interface would be the interface that sends the data, perhaps look to include the remote outside interface in your protected networks.

View solution in original post

Rob Ingram · ‎04-09-2025

@robo764 what version of FMC/FTD are you running? From 7.4 you can use a loopback to source Syslogs (amongst other services)

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/roadmap/management-center-new-features-by-release.html

robo764 · ‎04-10-2025

@Rob IngramI was successful in configuring the Syslog server to source from the Loopback interface, and an receiving the logs as I would expect. However, it doesn't seem to have the ability to use loopback interfaces to send the log buffer to FTP. The errors generated seem to indicate that it's using the outside interface, though I'm not sure if that's the default. In any event, it doesn't recognize loopback interface groups as a valid configuration option. Referencing the page you linked to, above, I see that FTP is not documented as supporting Loopback interfaces. I'm fine if that's the case, I just didn't want to assume it wasn't supported, if I was missing something else. I don't seem to be able to tell it to use the Loopback interface for the "FTP server buffer wrap" portion of the syslog section.

Rob Ingram · ‎04-10-2025

@robo764 even on the latest version 7.7 it seems like you cannot use a loopback as the source interface for FTP. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/interfaces-settings-ifcs-firewall.html#Cisco_Generic_Topic.dita_5df0a52b-88ad-4ed5-9f60-bd97248bc6c8

As default, the egress interface would be the interface that sends the data, perhaps look to include the remote outside interface in your protected networks.

robo764 · ‎04-10-2025

Thanks, again!

robo764 · ‎04-09-2025

That's what I needed! Thank you so much! I added the Loopback, adjusted the syslog server, and everything started flowing!