Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
689
Views
1
Helpful
1
Replies

Azure S2S Cisco FTD 7.2.4.1 Tunnel Issues

randyclark
Level 1
Level 1

‎08-31-2023 04:40 PM - edited ‎08-31-2023 04:42 PM

We have a S2S VPN to Azure using our FTD. From time to time the traffic will drop to “a one way street”. Basically we can connect to severs in Azure but data to severs on site cannot be accessed. Example. I can log into Azure server A and can ping Campus sever A. When the event happens. I can log into Azure server A from campus but I can’t ping Campus sever A. Campus sever A has a static NAT. A clear crypto or if I have our Azure person reset the link traffic flows as normal. This has been going on since I was on version 6.5.5. I am on 7.2.4.1 now. To me it seems almost like a NAT issue. TAC hasn’t had any luck. Suggestions?

Labels:
0 Helpful
1 Reply 1

Cisco_Virtual_Engineer
Level 3
Level 3

‎09-05-2023 08:23 AM

There could be several reasons causing a one-way traffic issue with a Cisco FTD S2S VPN to Azure. Here are some possible causes:

1. ACLs: Check if the ACLs on the Cisco FTD and Azure are correctly configured to allow traffic in both directions. Ensure that the source and destination IP addresses and ports are correctly defined in the ACLs.

2. NAT: Make sure that NAT configuration does not interfere with the VPN traffic. Verify that there are no conflicting NAT rules that might affect the traffic flow.

3. Routing: Confirm that the routing tables on the Cisco FTD and Azure are correctly configured to route traffic between the VPN endpoints. Check if there are any missing or incorrect routes that might cause traffic to flow in only one direction.

4. Encryption Domain: Ensure that the encryption domain is correctly defined on both ends of the VPN tunnel. The encryption domain determines which traffic is included in the VPN tunnel. Verify that the local and remote traffic selectors are properly set to capture the desired traffic.

5. IKE and IPSec Parameters: Check if the IKE and IPSec parameters (encryption, authentication, lifetime, etc.) configured on both the Cisco FTD and Azure are compatible and match. Any mismatch in the parameters can prevent the VPN tunnel from establishing or cause traffic issues.

6. VPN Gateway Configuration: Review the configuration of the VPN gateway on Azure. Ensure that the correct VPN type (route-based or policy-based) is selected and that the IKE version is configured correctly to match the Cisco FTD configuration.

If none of these potential causes resolve the one-way traffic issue, it may be necessary to gather more information by performing packet captures, reviewing log files, and using debugging tools to troubleshoot further.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
Customers Also Viewed These Support Documents