07-16-2022 04:55 AM - edited 07-16-2022 04:56 AM
I have SiteA FTD (192.168.3.0) n place with 2 S2S tunnels established to SiteB (192.168.1.0) & SiteC (192.168.2.0 FMC network) ) peers. I am trying to setup anyconnect to SiteA to use Radius in SiteB. When I connect to the SiteA FTD and do show route for the Radius network at SiteB it says network not in table as shown below . It also says same for 192.168.2.0 network yet I can push policy changes to SiteA from SiteC using FMC and S2S VPN is established between all sites and passing traffic. Do I have to manually add routes for these S2S protected networks for the FTD to get to the Radius server etc Also, I have successfully tested AAA authentication from the firewall at siteB to the radius server within siteb
FTDSITEA# Show route 192.168.1.0
% Network not in table
FTDSITEA# Show route 192.168.2.0
% Network not in table
07-16-2022 05:41 AM
syntax :
show route [ vrf name | all ] summary [ management-only ] [ cluster | failover | ip_address [ mask ] [ longer-prefixes ] | bgp [ as_number ] | connected | eigrp [ process_id ] | isis | ospf [ process_id ] | rip | static | summary | zone ]
check full route you can see that route.
> show route
07-17-2022 03:34 AM
Show route does not show tunnel routes a Aref stated below they won't because they are encrypted domain. I don't know what the deal is but running test aaa-server the FTD in sitea is not able to connect to radius server siteB. It seems like someone would know how to get this to work because Cisco doesn't allow for local authentication in 6.6.5 and I can't be the first one to try this
07-16-2022 09:11 AM
The FTD shows "network not in table" when there is no specific route in the routing table to the destination, so in that case the default route will be used. In other words the "network not in table" means I don't have a route for that destination so I'll use my default route 0.0.0.0/0. You don't have to add static routes for the S2S remote subnets as those will be defined in the encryption domain access lists, and that is enough to get the FTD to send the traffic inside the tunnel. I think the FTD will use its management interface for RADIUS traffic which means you need to configure the FTD on the RADIUS server with its management interface IP as a client.
07-17-2022 07:57 AM - edited 07-17-2022 07:58 AM
I have little in FTD but I think it same principle as ASA
NOW I will give you some note and you can follow it and find solution here
first we will divide the network into two part,
FTD1-FTD2 checking the Radius connectivity, radius is connect to FTD2
what the interface you use to connect to Radius ??
if it Inside then S2S VPN with policy allow LAN-FTD1 to LAN-FTD2 is enough and work
if it not Inside interface but it management interface then
you need to to add management subnet of FTD2 in ACL of S2S VPN
Note:- and I think you need to allow management traffic pass through the S2S VPN
how we check connection not from FTD1 to radius in FTD2 no why ? because FTD may use different interface that not hit the ACL of S2S VPN
so connect PC to inside or management interface and from there ping.
now, from anyconnect to radius, this take from me weeks to get the idea, there is no direct connect between anyconnect and radius, the FTD work as proxy between the anyconnect and radius, it receive request from anyconnect and it build new request to radius server.
so if we solve first part the second part will be easy.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide