cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1161
Views
0
Helpful
4
Replies

FTD Show Route

keithcclark71
Level 3
Level 3

I have SiteA  FTD (192.168.3.0) n place with 2 S2S tunnels established to SiteB (192.168.1.0) & SiteC (192.168.2.0 FMC network) )  peers. I am trying to setup anyconnect to SiteA to use Radius in SiteB. When I connect to the SiteA FTD and do show route for the Radius network at SiteB it says network not in table as shown below . It also says same for 192.168.2.0 network yet I can push policy changes to SiteA from SiteC using FMC and S2S VPN is established between all sites and passing traffic. Do I have to manually add routes for these S2S protected networks for the FTD to get to the Radius server etc Also, I have successfully tested AAA authentication from the firewall at siteB to the radius server within siteb

FTDSITEA# Show route 192.168.1.0
% Network not in table

FTDSITEA# Show route 192.168.2.0
% Network not in table

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

syntax :

show route [ vrf name | all ] summary [ management-only ] [ cluster | failover | ip_address [ mask ] [ longer-prefixes ] | bgp [ as_number ] | connected | eigrp [ process_id ] | isis | ospf [ process_id ] | rip | static | summary | zone ]

 

check full route you can see that route.

> show route

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Show route does not show tunnel routes a Aref stated below they won't because they are encrypted domain. I don't know what the deal is but running test aaa-server the FTD in sitea is not able to connect to radius server siteB. It seems like someone would know how to get this to work because Cisco doesn't allow for local authentication in 6.6.5 and I can't be the first one to try this 

The FTD shows "network not in table" when there is no specific route in the routing table to the destination, so in that case the default route will be used. In other words the "network not in table" means I don't have a route for that destination so I'll use my default route 0.0.0.0/0. You don't have to add static routes for the S2S remote subnets as those will be defined in the encryption domain access lists, and that is enough to get the FTD to send the traffic inside the tunnel. I think the FTD will use its management interface for RADIUS traffic which means you need to configure the FTD on the RADIUS server with its management interface IP as a client.

I have little in FTD but I think it same principle as ASA
NOW I will give you some note and you can follow it and find solution here 

first we will divide the network into two part,

FTD1-FTD2 checking the Radius connectivity, radius is connect to FTD2
what the interface you use to connect to Radius ??
if it Inside then S2S VPN with policy allow LAN-FTD1 to LAN-FTD2 is enough and work
if it not Inside interface but it management interface then 
you need to to add management subnet of FTD2 in ACL of S2S VPN
Note:- and I think you need to allow management traffic pass through the S2S VPN

how we check connection not from FTD1 to radius in FTD2 no why ? because FTD may use different interface that not hit the ACL of S2S VPN

so connect PC to inside or management interface and from there ping.

now, from anyconnect to radius, this take from me weeks to get the idea, there is no direct connect between anyconnect and radius, the FTD work as proxy between the anyconnect and radius, it receive request from anyconnect and it build new request to radius server.
so if we solve first part the second part will be easy.


Review Cisco Networking for a $25 gift card