Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
1
Helpful
5
Replies

Site to Site VPN being blocked internally

Go to solution
MichaelZipperer4709
Level 1
Level 1

‎09-27-2024 09:55 AM

my company lost its engineer who dealt with this we are in the middle of getting a new one but for now I need a site-to-site VPN setup and I'm at the point where it's up on both ends but my FMC config somewhere is blocking the VPN I ran a packet Tracer but Im not knowledgeable enough to understand what rool is blocking it and where to go to allow the traffic through. 

below is what I'm getting I'll add a snip as well. 
 
SNORT
Type:
SNORT
Result:
 
DROP
Config:
 
Elapsed Time:
197043 ns
 
Additional Information
Snort Trace: Packet: ICMP Session: new snort session Firewall: starting AC rule matching, zone 3 -> 3, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999999, icmpType 8, icmpCode 0 Firewall: block rule, , drop Snort: processed decoder alerts or actions queue, drop Snort id 0, NAP id 2, IPS id 0, Verdict BLOCKFLOW, Blocked by Firewall Snort Verdict: (black-list) black list this flow
 
 
Result: drop
Input Interface:
Outside(vrfid:0)
Input Status:
up
Input Line Status:
up
Output Interface:
Outside(vrfid:0)
Output Status:
up
Output Line Status:
up
Action:
drop
Time Taken:
495591 ns
Drop Reason:
(firewall) Blocked or blacklisted by the firewall preprocessor
Drop Detail:
Drop-location: frame 0x000000aaae872198 flow (NA)/NA
 
 
Outside(vrfid:0)
1 Accepted Solution

Accepted Solutions

Go to solution
MichaelZipperer4709
Level 1
Level 1

‎09-27-2024 12:26 PM

we did't have an access control policy role set also under devices, device management, static route, we did not have the routing configured. we ended up getting a professional service to assist. we are waiting for deployment time but we should be good. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎09-27-2024 10:21 AM

Do you use VPN bypass acp option or ACP?

MHM

 

0 Helpful

Go to solution
MichaelZipperer4709
Level 1
Level 1
In response to MHM Cisco World

‎09-27-2024 11:39 AM

that I don't know, we have other site-to-site connections setup, where do I go to answer this question? 

0 Helpful

Go to solution
MichaelZipperer4709
Level 1
Level 1

‎09-27-2024 12:26 PM

we did't have an access control policy role set also under devices, device management, static route, we did not have the routing configured. we ended up getting a professional service to assist. we are waiting for deployment time but we should be good. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MichaelZipperer4709

‎09-27-2024 12:29 PM

Professional service!! it easy  issue 

Only change the ACP rule order' if there is no acp add one put it in top of acp rule list 

That it.

MHM

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-27-2024 12:37 PM 

(firewall) Blocked or blacklisted by the firewall preprocessor

check is the IP block listed any where in the Firewall ?

Also check the FMC events - make sure the interesting traffic matches and allowed.

Look at the FTD packet Flow :

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

what is other side device in site to site vpn ?

validate the configuration also :

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card