cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11038
Views
5
Helpful
10
Replies

Help with troubleshooting Firepower FTD VPN not passing traffic

mhmservice
Level 1
Level 1

Hi all

 

I am currently building a proof of concept with the following topology. It is all built inside a single VMware ESXI host.

 

image.png

I intend to configure a full mesh VPN between all four FTD devices to route between the LAN subnets (10.1.0.0/24,10.2.0.0/24,10.3.0.0/24,10.4.0.0/24)

 

I have a basic "hide" NAT rule setup from inside to outside on each FTD and there is an "any-any" access control policy in place on all the firewalls to rule that out as an issue

 

PC 10.2.0.111 can ping the outside interface of FTD1 so I know the connectivity through R1 is working. The FMC can also connect to FTD2,FTD3,FTD4 management interfaces over R1 as they have been configured using this connection

 

The issue is I can't seem to ping the sites from each other, e.g. PC 10.2.0.111 is unable to ping 10.1.0.111. I have checked windows firewall is turned off on the VMs.

 

Here is the full mesh VPN config page from FMC:

image.pngI thought the problem was the NAT policy so I configured as follows to try to get connectivity to work on FTD1:

image.png

And on FTD2:

 

image.png

 

Show crypto ikev2 sa on FTD1 shows the tunnel (all other FTDs show similar)image.png

I ran a trace and it says the traffic is allowed:

 

image.png

 

Does anyopne have more tips on how to troubleshoot this as i'm really stuck

 

All help appreciated

 

2 Accepted Solutions

Accepted Solutions

Double check that FTD2 PC has FTD2 inside interface as its gateway. That's the routing that is suspect given your output that you shared.

 

 

View solution in original post

Finally fixed it ... subnet mask on PC 10.2.0.111 was set to 255.0.0.0 not 255.255.255.0 ...

 

Stupid mistake on my part, but a mystery solved!

 

Thanks for the hints

View solution in original post

10 Replies 10

matty-boy
Level 1
Level 1

Do you have access control policies to permit the traffic?

I have the following policy on all FTD devices in place in an attempt to troubleshoot this:image.png

 

 

 

run a packet tracer to verify it first.

least it will tell you where the packet the droping

please do not forget to rate.

I ran the following packet tracer and it says "DROP" for ipsec-tunnel-flow but im not sure what specifically that means

image.png

 

i think you packet trace does not give accurate result in terms of vpn.

can you sent constant ping from Site1_Lan to Site2_Lan in mean time check if phase 1 and phase 2 come up.

 

if you have access to CLI on FTD give command

 

show crypto ikev1 sa

show crypto ipsec sa

 

please do not forget to rate.


Sure

 

FTD1:


image.pngimage.pngimage.png

 

FTD2:

 

image.pngimage.pngimage.png

can you please double check if the routing is properly in place. i can see the encap and no decap. most probably it could be a routing issue.

please do not forget to rate.

I think that it is:

 

FTD1:

image.png

 

FTD2:

image.png

Double check that FTD2 PC has FTD2 inside interface as its gateway. That's the routing that is suspect given your output that you shared.

 

 

Finally fixed it ... subnet mask on PC 10.2.0.111 was set to 255.0.0.0 not 255.255.255.0 ...

 

Stupid mistake on my part, but a mystery solved!

 

Thanks for the hints

Review Cisco Networking for a $25 gift card