Solved: Route Based S2S IPSEC Slow/Missing Packets?

rtarson98 · ‎01-08-2025

So I have a PTP S2S IPSEC tunnel created for a location I was able to get the connection up I can ping all the Endpoints in the route okay on both sides. However I noticed connecting to RDP or doing SMB it was SLLLOOOOOW. Or just disconnected due to timeout. I thought maybe it was the DNS. But the dns was reaching but noticed that was having a delay in name resolution.

So then I got down the rabithole of inspecting the packets and doing ping with packet size. I tried with paramters -f and -l. I tested what my largest acceptable packet over IPSEC and noticed that it taps out around 1410. On my FTD the WAN that is connecting the Firepower/Tunnel is set at a MTU of 1500. The extranet device has MSS Clamping with TCP Connection Segment size of 1452 and the MTU is 1500.

I have a feeling it all has to do with the MTU from my readings but if someone thinks other wise I am all ears.

Now to fix Is this something I have to do via the Flexconfig to fix? I read something about adding sysopt_basic. However it looks like it will size all tcp traffic, should I configure to only to size the IPSEC routes only? Also what is the recommended MSS TCP segment size for MTU of 1500 over IPSEC?

rtarson98 · ‎01-20-2025

After support calls with cisco and ubiquiti. I took another glimpse. Turned out to be LACP config issue. I thought LACP On in cisco world meant LACP negotation. My Switching LACP to active corrected everything crazy stuff literally a dropdown.

View solution in original post

MHM Cisco World · ‎01-08-2025

Can you use firewall-engine-debug

Check if the traffic is deep inspect by snort or not.

MHM

rtarson98 · ‎01-08-2025

Here is two different debug I ran. One is 389 and port 445 and the other is 80 and 9440 just web gui. I see that in the first debug it shows that "Received EOF, deleting the snort session" and "Deleting Firewall session flags=0x40311060, logFlags=0x0"the second one i didnt see that but I do see the same verbiage happening.

Here is the first debug 10.2.2.100 (internal client ftd) -> 10.0.0.2 (s2s)

10.2.2.100 58084 -> 10.0.0.2 389 6 AS=0 ID=1 GR=1-1 service inspector changed event
10.2.2.100 58084 -> 10.0.0.2 389 6 AS=0 ID=1 GR=1-1 app event with client no change, service changed, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x4
10.2.2.100 58084 -> 10.0.0.2 389 6 AS=0 ID=1 GR=1-1 service inspector changed event
10.2.2.100 58084 -> 10.0.0.2 389 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x84000
10.2.2.100 58084 -> 10.0.0.2 389 6 AS=0 ID=1 GR=1-1 Setting flow ID to 268435497
10.2.2.100 58084 -> 10.0.0.2 389 6 AS=0 ID=1 GR=1-1 Trusting flow
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 58097 -> 10.0.0.2 88 6 AS=0 ID=2 GR=1-1 Got end of flow event from hardware with flags 00006001
10.2.2.100 58097 -> 10.0.0.2 88 6 AS=0 ID=2 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 2
10.2.2.100 58097 -> 10.0.0.2 88 6 AS=0 ID=2 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58097 -> 10.0.0.2 88 6 AS=0 ID=2 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 58097 -> 10.0.0.2 88 6 AS=0 ID=2 GR=1-1 Deleting Firewall session flags=0x40311060, logFlags=0x0
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 flow setup event

10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 New firewall session
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 allow action
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 flow tcp established event
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 allow action
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 service inspector changed event
10.2.2.100 5' repeated 1 times, suppressed by syslog-ng on NSYR-FPWR.int.taurozza.com
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 app event with client no change, service changed, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x4004
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 app event with client no change, service no change, payload changed, referred no change, misc no change, url no change, tls host no change, bits 0x10
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 Deleting Firewall session flags=0x40013060, logFlags=0x1000
10.2.2.100 58101 -> 10.0.0.2 139 6 AS=0 ID=2 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 flow tcp established event
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 service inspector changed event
10.2.2.100 58102 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 app event with client no change, service changed, payload changed, referred no change, misc no change, url no change, tls host no change, bits 0x4014
10.2.2.100 58103 -> 10.0.0.2 88 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 58103 -> 10.0.0.2 88 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 58103 -> 10.0.0.2 88 6 AS=0 ID=0 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58103 -> 10.0.0.2 88 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 58103 -> 10.0.0.2 88 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 Got end of flow event from hardware with flags 00006001
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 2
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 58099 -> 10.0.0.2 445 6 AS=0 ID=0 GR=1-1 Deleting Firewall session flags=0x40311060, logFlags=0x0

Here is the Second debug 10.2.2.100 (internal client ftd) -> 10.0.60.5 (nutanix webgui)

10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 using HW or preset rule or                                                                                                                                                                                                                                             der 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client no c                                                                                                                                                                                                                                             hange, service no change, payload no change, referred no change, misc no change,                                                                                                                                                                                                                                              url no change, tls host no change, bits 0x1
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 flow setup event

10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 New firewall session
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 using HW or preset rule orde                                                                                                                                                                                                                                             r 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 app event with client no cha                                                                                                                                                                                                                                             nge, service no change, payload no change, referred no change, misc no change, u                                                                                                                                                                                                                                             rl no change, tls host no change, bits 0x1
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 flow tcp established event
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 Generating an SOF event with                                                                                                                                                                                                                                              rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 flow setup event

10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 New firewall session
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 using HW or preset rule or                                                                                                                                                                                                                                             der 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 app event with client no c                                                                                                                                                                                                                                             hange, service no change, payload no change, referred no change, misc no change,                                                                                                                                                                                                                                              url no change, tls host no change, bits 0x1
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 flow setup event

10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 New firewall session
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 allow action
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 flow tcp established event
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 service inspector changed event
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 wait for decryption event
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 InsightUrlListEventHandler: No active URL entries
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host changed, bits 0x100
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 not decrypting event
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 tls update session event
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client changed, service changed, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0xC
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 existing flow new policy event
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 existing flow new policy event
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Starting with minimum 0, id 0 and DstZone first with zones 7 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 0, payload 0, client 0, misc 0, user 9999997
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Starting with minimum 0, id 0 and DstZone first with zones 7 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 0, payload 0, client 0, misc 0, user 9999997
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 match rule order 10, 'Core-S2S-Traffic-Egress', action Allow
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268435497, rule_action:2, rev id:2904194919, rule_match flag:0x1
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 match rule order 10, 'Core-S2S-Traffic-Egress', action Allow
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 MidRecovery data sent for rule id: 268435497, rule_action:2, rev id:2904194919, rule_match flag:0x1
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 58613 -> 10.0.60.5 80 6 AS=0 ID=0 GR=1-1 existing flow new policy event
10.2.2.100 58613 -> 10.0.60.5 80 6 AS=0 ID=0 GR=1-1 Starting with minimum 0, id 0 and DstZone first with zones 7 -> 8, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 676, payload -1, client 4569, misc 0, user 9999997, url http://10.0.60.5/, host 10.0.60.5, no xff
10.2.2.100 58613 -> 10.0.60.5 80 6 AS=0 ID=0 GR=1-1 match rule order 10, 'Core-S2S-Traffic-Egress', action Allow
10.2.2.100 58613 -> 10.0.60.5 80 6 AS=0 ID=0 GR=1-1 MidRecovery data sent for rule id: 268435497, rule_action:2, rev id:2904194919, rule_match flag:0x1
10.2.2.100 58613 -> 10.0.60.5 80 6 AS=0 ID=0 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58613 -> 10.0.60.5 80 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Got end of flow event from hardware with flags 00007001
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 3
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 56333 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Deleting Firewall session flags=0x40313060, logFlags=0x1000
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00006001
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 268435497, rule_action 2 rev_id 2904194919, rule_flags 2
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 58655 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Deleting Firewall session flags=0x3110a0, logFlags=0x0
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Got end of flow event from hardware with flags 00006001
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Rule Match Data: rule_id 268435497, rule_action 2 rev_id 2904194919, rule_flags 2
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 58653 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Deleting Firewall session flags=0x3110a0, logFlags=0x0
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 existing flow new policy event
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 Starting with minimum 0, id 0 and DstZone first with zones 7 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 0, payload 0, client 0, misc 0, user 9999997
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 match rule order 10, 'Core-S2S-Traffic-Egress', action Allow
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 MidRecovery data sent for rule id: 268435497, rule_action:2, rev id:2904194919, rule_match flag:0x1
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 flow setup event

10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 New firewall session
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 flow tcp established event
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 service inspector changed event
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 wait for decryption event
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 InsightUrlListEventHandler: No active URL entries
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host changed, bits 0x100
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 not decrypting event
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 tls update session event
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 app event with client changed, service changed, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0xC
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 Got end of flow event from hardware with flags 00006001
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 2
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 56334 -> 10.0.60.5 9440 6 AS=0 ID=2 GR=1-1 Deleting Firewall session flags=0x40311060, logFlags=0x0
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Got end of flow event from hardware with flags 00007001
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 3
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 56351 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 Deleting Firewall session flags=0x40313060, logFlags=0x1000
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Got end of flow event from hardware with flags 00006001
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 2
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Received EOF, deleting the snort session
10.2.2.100 56350 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Deleting Firewall session flags=0x40311060, logFlags=0x0
10.2.2.100 56366 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 flow setup event

10.2.2.100 56366 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 New firewall session
10.2.2.100 56366 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 56366 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 allow action
10.2.2.100 56366 -> 10.0.60.5 9440 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 flow setup event

10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 New firewall session
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 using HW or preset rule order 10, 'Core-S2S-Traffic-Egress', action Allow and prefilter rule 0
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 Deleting Firewall session flags=0x130a0, logFlags=0x1000
10.2.2.100 58654 -> 10.0.60.5 80 6 AS=0 ID=1 GR=1-1 Generating an EOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 flow tcp established event
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 Generating an SOF event with rule_id = 268435497 ruleAction = 2 ruleReason = 0
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 allow action
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 service inspector changed event
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 wait for decryption event
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 InsightUrlListEventHandler: No active URL entries
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host changed, bits 0x100
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 not decrypting event
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 tls update session event
10.2.2.100 56367 -> 10.0.60.5 9440 6 AS=0 ID=0 GR=1-1 app event with client changed, service changed, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0xC

rtarson98 · ‎01-09-2025

To add to this I was looking at the VTI of the extranet side and the vti has MTU of 1419

vti73@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ipip 71.xxx.xxx.164 peer 74.xxx.xxx.118

rtarson98 · ‎01-10-2025

Do you know is it possible to set the VTI/S2S tunnel mtu separate from the WAN?

MHM Cisco World · ‎01-11-2025

Sorry for late reply I was busy,
why you think it MTU issue ?

can you use wiresharke to see if there is fragment packet ?

I think your ACP for traffic via VPN tunnel is config with allow not with trust action, can you confirm ?

MHM

rtarson98 · ‎01-11-2025

When I was doing more research I did end up setting the S2S tunnel security zone to trusted traffic vs allowed traffic.

I did use Wireshark on the FTD side and I also did it on the Client PC. The first attempt was to do a c$ to the machine (the ports are open by policy checked to make sure putting client on old firewall). So the server 10.0.0.2 connecting to the client using smb. I filtered ports 445 and 139. I see a bunch of TCP Retransmissions meaning something not liking something. I do see MSS = 1460 on the packets

Now I did the same thing on the client side. So I did 10.2.2.100 client going to 10.0.0.2 server and it showed more activity but failures it seems like. After multiple tcp retransmissions though it did eventually connect back to the server. It took a while. This is now using ACP policy of Trusted now too. I blocked out sensitive info

The extranet side MTU for the VTI likes to default to 1419. Its uplink WAN is 1500 with auto clamping. I used this tool that I believ use to be on cisco site: IPsec Overhead Caculator

I set the settings as my IPSEC. So SHA and ESP 256 from what I gathered my largest TCP Payload can only be 1320? If extranet side vti is at 1419?

MHM Cisco World · ‎01-11-2025

Hi Friend

thanks a lot for share wireshark
I see the IP you use is 10.0.0.x and 10.2.2.x
so what is mask for these remote and local LAN of VPN ?

it must be /24 if not then you can face IP overlapping

MHM

rtarson98 · ‎01-11-2025

The second octet signifies the building number the third octet signifies devices type. So 10.0.0.0/24 building 0 and 10.2.2.0/24 are wired clients at building 2. The

MHM Cisco World · ‎01-11-2025

OK, New use packet tracer feature in FTD
from local LAN to remote LAN
and from remote LAN to local LAN
see if FTD force traffic via correct vti interface

the transmit meaning mostly issue with ACL or routing

MHM

rtarson98 · ‎01-11-2025

Sorry stepped away for a few. This is the trace it looks like everything is going to where it supposed to and going to the Tunnel interface with an allow. I did a trace 10.2.2.100 -> 10.0.0.2 with a ldap request

Interface: Port-channel1.1022
VLAN ID: 
Protocol: TCP
Source Type: IPv4
Source IP value: 10.2.2.100
Source Port: ldap
Source SPI: 
Destination Type: IPv4
Destination IP value: 10.0.0.2
Destination port: ldap
Inline Tag: 
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: NSYR-FPWR
Run trace on all cluster members: false

Device details
Name: NSYR-FPWR
ID: 5f11dfbe-bfb3-11ef-b495-bb6a19c262fe
Type: Device

Phase 1
ID: 1
Type: ACCESS-LIST
Result: ALLOW
Config: Implicit Rule
Additional Information:  Forward Flow based lookup yields rule: in  id=0x1531b47708a0, priority=1, domain=permit, deny=false	hits=687835, user_data=0x0, cs_id=0x0, l3_type=0x8	src mac=0000.0000.0000, mask=0000.0000.0000	dst mac=0000.0000.0000, mask=0100.0000.0000	input_ifc=Supply-Wired-Clients, output_ifc=any
Elapsed Time: 17408 ns

Phase 2
ID: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config: 
Additional Information: Found next-hop 10.255.1.2 using egress ifc  CIC-SVTI(vrfid:0)
Elapsed Time: 19456 ns

Phase 3
ID: 3
Type: OBJECT_GROUP_SEARCH
Result: ALLOW
Config: 
Additional Information:  Source Object Group Match Count:       2 Destination Object Group Match Count:  2 Object Group Search:                   4
Elapsed Time: 0 ns

Phase 4
ID: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip ifc Supply-Wired-Clients object-group FMC_INLINE_src_rule_268435497 ifc CIC-SVTI object-group FMC_INLINE_dst_rule_268435497 rule-id 268435497 access-list CSM_FW_ACL_ remark rule-id 268435497: ACCESS POLICY: SYR-AccessPolicy - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268435497: L7 RULE: Core-S2S-Traffic-Egressobject-group network FMC_INLINE_src_rule_268435497(hitcnt=20047, id=4026531874) network-object object 01-Internal-Server-Network(hitcnt=0) network-object object 192.168.1.0-Network(hitcnt=0) network-object object 01-Nutanix-Network(hitcnt=0) network-object object 01-External-Server-Network(hitcnt=0) network-object object 02-Wired-Clients-Network(hitcnt=20047)object-group network FMC_INLINE_dst_rule_268435497(hitcnt=20047, id=4026531875) network-object object 00-External-Server-Network(hitcnt=0) network-object object 03-Internal-Server-Network(hitcnt=0) network-object object 00-Nutanix-Network(hitcnt=0) network-object object 00-Internal-Server-Network(hitcnt=20047) network-object object DWT-VTI-Subnet(hitcnt=0) network-object object CIC-VTI-Subnet(hitcnt=0)
Additional Information:  This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in  id=0x1531b506d350, priority=12, domain=permit, deny=false	hits=1911, user_data=0x1531a13c35c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0	src ip/id=240.0.0.34, mask=255.255.255.255, port=0, tag=any, ifc object-group id 27259	dst ip/id=240.0.0.35, mask=255.255.255.255, port=0, tag=any, ifc=CIC-SVTI(vrfid:0), 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=any, output_ifc=any
Elapsed Time: 256 ns

Phase 5
ID: 5
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default  set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information:  Forward Flow based lookup yields rule: in  id=0x1531bfc74e80, priority=7, domain=conn-set, deny=false	hits=88731, user_data=0x1531bfc3bde0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=Supply-Wired-Clients(vrfid:0), output_ifc=any
Elapsed Time: 256 ns

Phase 6
ID: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config: 
Additional Information:  Forward Flow based lookup yields rule: in  id=0x1531b18d7e70, priority=0, domain=nat-per-session, deny=false	hits=932243, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=any, output_ifc=any
Elapsed Time: 256 ns

Phase 7
ID: 7
Type: IP-OPTIONS
Result: ALLOW
Config: 
Additional Information:  Forward Flow based lookup yields rule: in  id=0x1531b477c060, priority=0, domain=inspect-ip-options, deny=true	hits=88944, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=Supply-Wired-Clients(vrfid:0), output_ifc=any
Elapsed Time: 256 ns

Phase 8
ID: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config: 
Additional Information:  Forward Flow based lookup yields rule: out id=0x1531bac98740, priority=70, domain=encrypt, deny=false	hits=1718, user_data=0x21ae04, cs_id=0x0, reverse, flags=0x0, protocol=0	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=any(vrfid:65535), output_ifc=CIC-SVTI
Elapsed Time: 34816 ns

Phase 9
ID: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config: 
Additional Information:  Reverse Flow based lookup yields rule: in  id=0x1531b849f560, priority=69, domain=ipsec-tunnel-flow, deny=false	hits=1727, user_data=0x21d6e4, cs_id=0x0, reverse, flags=0x0, protocol=0	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=CIC-SVTI(vrfid:0), output_ifc=any
Elapsed Time: 49664 ns

Phase 10
ID: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config: 
Additional Information:  Reverse Flow based lookup yields rule: in  id=0x1531b18d7e70, priority=0, domain=nat-per-session, deny=false	hits=932245, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=any, output_ifc=any
Elapsed Time: 1536 ns

Phase 11
ID: 11
Type: IP-OPTIONS
Result: ALLOW
Config: 
Additional Information:  Reverse Flow based lookup yields rule: in  id=0x1531b4da3b10, priority=0, domain=inspect-ip-options, deny=true	hits=1941, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any 	src nsg_id=none, dst nsg_id=none	dscp=0x0, input_ifc=CIC-SVTI(vrfid:0), output_ifc=any
Elapsed Time: 512 ns

Phase 12
ID: 12
Type: FLOW-CREATION
Result: ALLOW
Config: 
Additional Information: New flow created with id 703906, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_tcp_proxysnp_fp_snortsnp_fp_tcp_proxysnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_encryptsnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_ipsec_tunnel_flowsnp_fp_tcp_normalizersnp_fp_translatesnp_fp_tcp_proxysnp_fp_snortsnp_fp_tcp_proxysnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 23040 ns

Phase 13
ID: 13
Type: EXTERNAL-INSPECT
Result: ALLOW
Config: 
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 43520 ns

Phase 14
ID: 14
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 2, Rule ID 268435497
Additional Information: Starting rule matching, zone 7 -> 8, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xffMatched rule ids 268435497 - Trust
Elapsed Time: 137158 ns

Phase 15
ID: 15
Type: SNORT
Subtype: appid
Result: ALLOW
Config: 
Additional Information: service: (0), client: (0), payload: (0), misc: (0)
Elapsed Time: 16398 ns

Result
Input Interface: Supply-Wired-Clients(vrfid:0)
Input Status: up
Input Line Status: up
Output Interface: CIC-SVTI(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 344532 ns

MHM Cisco World · ‎01-11-2025

Now from 10.2.2.100 to 10.0.0.2' share result

MHM

rtarson98 · ‎01-11-2025

In FMC I can set it to the WAN interface but the ingress interface dropdown only has physical and virtual interfaces no tunnel interfaces?

In the earlier posted test I used the interface that the Client PC is connected to.

MHM Cisco World · ‎01-11-2025

I always forget cisco not allow using vti interface in packet capture/NAT ..etc.

Anyway' let check mac address in wireshark' the mac address of destiantion must be point to ISP interface mac' if it show mac of other interface of FW then traffic is routing through different interface.

MHM

rtarson98 · ‎01-11-2025

Alright so this is what I have unboxed so far..... So when I was grabbing you that information I spotted something going on which maybe the answer to all of this. From client 10.2.2.100 - > I can ping say 10.0.0.2 but can not ping 10.0.0.3 (another server). Then i moved to a different subnet same client 10.2.2.100 -> I can ping 10.0.60.12 & 10.0.60.52 but cant 10.0.60.5 & 10.0.60.53.

Note* I have a raspberry pi on 10.2.2.104 for test device as well before deploying this firewall it too was behaving the same so it's not just the one endpoint

The odd thing is I can get to webui of 10.0.60.5 but cant ping. Yet when I do a packet capture and debug it says that it catches my rule and it is trusted.

So here we go. I then started to dive deeper, I needed to know where that ping request was going. So on FMC I created a packet capture on the Interface of the VTI. watching the traffic source 10.2.2.100 -> 10.0.60.53 and it was happy? Yet my machine on the FTD internal interface did not say so (second image showing request timed out). So FTD got my response and just booted it away.

Here is also the extranet router pcapdump showing the responses everything i watched here seem healthy

Now we are reversing roles

I am going to ping from the host 10.0.60.53 -> 10.2.2.100 same thing in FMC I setup a capture and reversed setting in there and the setup the dump on my extranet router.

To my surprise on the extranet router I got no reply!

But did the FTD see it and acknowledge it?

It did see my ping request and kick that packets to the wind. So where does that lead me? Why is some IPs ping completely fine while some arnt. Why when connecting to services even with the interface and ips trusted does it seem like its dropping packets.

So here is a healthy ping 10.0.60.52 -> 10.0.0.2. Same subnet same acp rules everything just different machine on the extranet side.

@MHM Cisco World wrote:
I always forget cisco not allow using vti interface in packet capture/NAT ..etc.
Anyway' let check mac address in wireshark' the mac address of destiantion must be point to ISP interface mac' if it show mac of other interface of FW then traffic is routing through different interface.
MHM

Now to answer your question above. Yes it Does here is the proof:

From CLI of the FTD:

Interface Ethernet1/1 "ISP-WAN", is up, line protocol is up
Hardware is EtherSVI, BW 1000 Mbps, DLY 10 usec
Description: ISP
MAC address 8c94.6138.67a4, MTU 1500

From Packet Capture:

Frame 1: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Ethernet II, Src: JuniperNetwo_ae:08:02 (40:71:83:ae:08:02), Dst: Cisco_38:67:a4 (8c:94:61:38:67:a4)
Destination: Cisco_38:67:a4 (8c:94:61:38:67:a4)
Internet Protocol Version 4, Src: 10.0.60.52, Dst: 10.2.2.100
Internet Control Message Protocol

I appreciate your guidance a lot. I have one more day of picking this thing apart and if still throwing me issue this getting to be TAC worthy. The Sonicwall and Ubiquiti gear I have in place are rock solid this been little bumpy for some reason.