Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
232
Views
1
Helpful
1
Replies

Site to site VPN issue

WinTun86996
Level 1
Level 1

‎10-25-2023 10:50 PM

Dear All, I have configure Site to Site VPN routed based and try to verify by packet-tracer. Errors are shown as follows;

Pls advise on this and thank in advance.

> packet-tracer input inside icmp 10.74.157.6 8 0 10.74.156.3

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.74.156.3 using egress ifc 122(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
Additional Information:

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005555efa58156 flow>

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎10-26-2023 12:01 AM

@WinTun86996 with FTD you need to explictly permit traffic over the VPN, unlike the ASA which by default bypassed the interface ACLs. Add rules to your Access Control Policy to permit the traffic.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card