cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

177
Views
0
Helpful
3
Replies
Beginner

FPD-1010 VPN tunnel Traffic 1 way only

We have  FPD-1010 VPNs configured to connect to an ASA-5506-X

 

1. The tunnel between the  sites can be created by traffic generated from either end

2. Only VPN traffic from the FPD-1010 flows

3. Any traffic from the ASA does not get through - ie cannot ping or browse any items on the FPD or behind the FPD device

 

We created a tunnel from another location using an old 1900 series router and have the same issues - 1 way traffic only although the tunnel can be generated from either end.

 

The manual NAT rules look to be ok - they're the same as we have at another location

 

It just look like all VPN traffic generated from an outside source is being dropped

 

Where's a good place to start to see what's going on ?

 

Steve

 

Everyone's tags (1)
3 REPLIES 3
Hall of Fame Guru

Re: FPD-1010 VPN tunnel Traffic 1 way only

If traffic from the ASA side isn't appearing on your local network, check the flow using the ASA packet-tracer tool.

Also, check and confirm the ASA's IPsec security associations:

show crypto ipsec sa

 

Beginner

Re: FPD-1010 VPN tunnel Traffic 1 way only

These are the stats I get when I ping from the ASA to the FPD

 

local crypto endpt.: xxx.xxx.xxx.xxx/500, remote crypto endpt.: yyy.yyy.yyy.yyy/500
path mtu 1492, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F02A8B4F
current inbound spi : 718932BE

inbound esp sas:
spi: 0x718932BE (1904816830)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 209, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193280/28775)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF02A8B4F (4029320015)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 209, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055039/28775)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

ASA Trace ends up with :

Result is Packet is allowed

 

 

This is an issue on the FTD end - not the ASA end as we've tried other VPN connection to the FTD and the all fail in this same manner

 

Highlighted
Hall of Fame Guru

Re: FPD-1010 VPN tunnel Traffic 1 way only

You've only shared part of the "show ipsec sa" output.

Try checking that at both ends and look for encaps matching decaps at the other end and vice versa.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here