Solved: Hairpinning FTD Site-to-Site IPSec

caiobomani · ‎12-18-2018

Dear team,

I'm currently with an unusual scenario and could get some assistance in order to make it work.

I have two VPN tunnels with two different partners and, due to business, they are not allowed to establish the tunnel between them directly. With that being said, I'm in the middle of the path to receive traffic from one Site-to-Site IPSec VPN tunnel and forward it to the secondary.

The behavior I'm experiencing is a drop (the traffic is not even attempting to trigger the SA for the secondary tunnel).

Just as a base information:

I do have connectivity in both tunnels (I'm able to receive the traffic from the first tunnel, although it is dropping) and able to send a telnet traffic from some random server I've setup just to test connectivity for the second tunnel. Just not able to receive from the first tunnel and send it to the second.

Also another important info:

Both VPN tunnels are reaching my network in the same interface/zone, so (as previous research) hairpinning is allowed by default on FTD devices.

The access rule is allowing the original source and the original destination (as should). I've also attempted to allow the NAT IPs in the ACL but the behavior is exactly the same.

I'm attaching a drawing for better understanding of the scenario.

Thanks,

Caio

caiobomani · ‎12-21-2018

Thank you for the tip. Unfortunatelly icmp isnt allowed, so that specific packet tracer wont work.

I got it fixed.

On the PAT, I had to remove the zone from the destination (leave to any) and in the filter ACL the same.

That's why the packet was being dropped.

Since I'm performing twice NAT with the original destination being just a NAT IP the firewall didn't consider the exitting interface as inet (yet) and therefore did not found an ACL match. As soon as I've removed the destination zone, the ACL matched and the traffic passed through.

View solution in original post

Rob Ingram · ‎12-18-2018

On the FTD, create 1 hub and spoke topology and configure the option "Enable Spoke to Spoke Connectivity through Hub" under the Advanced Tunnel options.

HTH

caiobomani · ‎12-18-2018

That was a quite obvious answer and I didn't really thought about it.

But it still bring me questions:

On one end of the tunnel (far east side) I have other traffic flows currently working on which I'm not on a hub-and-spoke scenario (Point-to-point). How should I maintain these two scenarios in parallel?

Thanks,

Francesco Molino · ‎12-18-2018

On FTD, you need to change the topology into Hub and Spoke scenario, also modify the crypto acl on both to add the subnet of the other sites and you should take care of the nat exempt into FTD.
What do you mean by point-to-point? Is it a VPN between the partner B and your FTD? If so, once you recreate the vpn into hub and spoke, it will continue working as today with the possibility to reach the partner A site as well.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

caiobomani · ‎12-19-2018

I've recreated on my backup site the scenario but unfortunately the behavior is exactly the same:
the traffic is being dropped.

Any other thoughts of what might be causing this issue?

Francesco Molino · ‎12-19-2018

Can you run a packet-tracer input outside icmp a.b.c.d 8 0 e.f.g.h detail?
a.b.c.d corresponds to ip of machine in site A
e.f.g.h corresponds to ip of machine in site B