Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1590
Views
5
Helpful
7
Replies

Inner GRE Traffic is being dropped by FTD

Go to solution
hadeelOth81
Level 1
Level 1

‎06-22-2023 09:26 AM

Hello All, 

    We have migrated from ASA (cluster) to FTD(cluster) (on FPR4145) and after the migration a vendor lost their connectivity to their remote side that lives inside our network. They are using GRE tunnel , on the routers the tunnel status is up. But the traffic inside the tunnel is being dropped. 

By capturing traffic we noticed the traffic is being dropped by snort and the rule is the explicit (deny any any). 

We migrated the configuration from ASA to FTD and double checked that all configuration are the same. 

How on ASA it was working fine and on FTD is not?

How would we solve this problem?

Much appreciate any help!!

Thank you

 

0 Helpful
1 Accepted Solution

Accepted Solutions
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎06-22-2023 09:34 AM

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html

Asa check only outer ip header ' ftd can inspect inner ip header 

Check link above how you can solve issue 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-22-2023 11:00 AM

As @MHM Cisco World noted, you should account for this traffic in a prefilter policy that's attached to your Access Control Policy. Typically we Fastpath GRE traffic in the prefilter policy (if we trust it) so that the inner traffic is not inspected by Snort at all.

Go to solution
hadeelOth81
Level 1
Level 1

‎06-22-2023 11:09 AM

Thank you @MHM Cisco World  @Marvin Rhoads 

 Right now, we are using the default prefilter in the ACP. So I need to add 2 rules in prefilter :

 1- for the GRE tunnel source and destination

 2- To send all other traffic to SNORT --> similar to the default prefilter policy. 

Is it correct?

Much appreciate your help.

Thanks 

Go to solution
hadeelOth81
Level 1
Level 1

‎06-22-2023 11:15 AM

@MHM Cisco World Thank you so much

0 Helpful

Go to solution
hadeelOth81
Level 1
Level 1

‎06-26-2023 12:38 PM

Hello all, 

  Please I still have an issue with the GRE tunnel traffic. 

  In our situation the vendor has remote site connected to a private subnet and that subnet has a static NAT configured on the firewall to go out to the internet. 

The tunnel destination on the vendor external site is the NAT ip 

The internal remote site has the source is from the private subnet and destination is the vendor public IP address. 

In the pre-filter rule what should I have as tunnel endpoints? 

Thank you, 

 Hadeel 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to hadeelOth81

‎06-27-2023 02:18 AM

https://www.youtube.com/watch?v=EFdgl1dJFHY

 

Cisco FTD - Prefilter policy and tunnel traffic
Cisco FTD - Prefilter policy and tunnel traffic
youtube.com/watch?v=EFdgl1dJFHY
In this video, we will learn how FTD treats with GRE tunnel-like traffic.the video has 6 sections, fist part is basic of prefilter policy, and also we have 5 scenarios. In our scenarios we will learn how GRE traffic can get "FASTPATH", "BLOCK" or "ANALYZED"also, we have a good scenario to practice
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card