Azure S2S Cisco FTD 7.2.4.1 Tunnel Issues

randyclark · ‎08-31-2023

We have a S2S VPN to Azure using our FTD. From time to time the traffic will drop to “a one way street”. Basically we can connect to severs in Azure but data to severs on site cannot be accessed. Example. I can log into Azure server A and can ping Campus sever A. When the event happens. I can log into Azure server A from campus but I can’t ping Campus sever A. Campus sever A has a static NAT. A clear crypto or if I have our Azure person reset the link traffic flows as normal. This has been going on since I was on version 6.5.5. I am on 7.2.4.1 now. To me it seems almost like a NAT issue. TAC hasn’t had any luck. Suggestions?

Cisco_Virtual_Engineer · ‎09-05-2023

There could be several reasons causing a one-way traffic issue with a Cisco FTD S2S VPN to Azure. Here are some possible causes:

1. ACLs: Check if the ACLs on the Cisco FTD and Azure are correctly configured to allow traffic in both directions. Ensure that the source and destination IP addresses and ports are correctly defined in the ACLs.

2. NAT: Make sure that NAT configuration does not interfere with the VPN traffic. Verify that there are no conflicting NAT rules that might affect the traffic flow.

3. Routing: Confirm that the routing tables on the Cisco FTD and Azure are correctly configured to route traffic between the VPN endpoints. Check if there are any missing or incorrect routes that might cause traffic to flow in only one direction.

4. Encryption Domain: Ensure that the encryption domain is correctly defined on both ends of the VPN tunnel. The encryption domain determines which traffic is included in the VPN tunnel. Verify that the local and remote traffic selectors are properly set to capture the desired traffic.

5. IKE and IPSec Parameters: Check if the IKE and IPSec parameters (encryption, authentication, lifetime, etc.) configured on both the Cisco FTD and Azure are compatible and match. Any mismatch in the parameters can prevent the VPN tunnel from establishing or cause traffic issues.

6. VPN Gateway Configuration: Review the configuration of the VPN gateway on Azure. Ensure that the correct VPN type (route-based or policy-based) is selected and that the IKE version is configured correctly to match the Cisco FTD configuration.

If none of these potential causes resolve the one-way traffic issue, it may be necessary to gather more information by performing packet captures, reviewing log files, and using debugging tools to troubleshoot further.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

Daniel Bell · ‎12-19-2024

I had the same problem in that traffic from Azure would arrive on prem, but traffic back to Azure would not. My problem was asymmetric routing. I have multiple providers on outside interfaces. The S2S established fine. Microsoft Azure support wasn't very helpful and were focused on the PSK as the problem. I pointed out that I get traffic and even proved to them that traffic would not flow if I set the password incorrectly and then set it back to the original password where the traffic would be received on prem. The issue was that while the S2S VPN was established and routing to the VTI for my Azure network was set, I needed to add the IP of the Azure side of the tunnel to route it's /32 address over the interface with the VTI. Once I did this traffic flowed fine. Hope this helps people running into this problem.