05-05-2022 08:14 AM - edited 05-05-2022 08:15 AM
So I am configuring a couple of FTDs in a lab environment. I went through the steps of creating the VPN connection, but I cant get them to establish the tunnel. I will lay out my process below.
My set up is as follows:
2 - FTDs
1 - L3 Switch
2 - PCs
Lab Scenario:
Create a Site-to-Site VPN between the two FTDs and test connectivity over the tunnel.
Process:
I created 4 Vlans on the switch; VLAN 1, 2, 3, 4:
Vlan 1 is 192.168.1.0/24
Vlan 2 is xxx.xxx.2.0/24
Vlan 3 is xxx.xxx.10.0/24
Vlan 4 is xxx.xxx.20.0/24
I turned on routing on the Switch and eveything is locally connected in the routing table
On the FTDs inside FMC:
FTD1 - 192.168.1.1 - outside
FTD1 - xxx.xxx.10.1 - inside
FTD2 - xxx.xxx.2.1 - outside
FTD2 - xxx.xxx.20.1 - inside
Devices -> VPN -> Site-to-Site
- Policy Based
- IKEv2
- Endpoints
- Node A:
- device name - FTD2
- Interface - Outside
- IP - xxx.xxx.2.1
- Connection Type - Bidirectional
- Protected Network - xxx.xxx.20.1
- Node B:
- device name - FTD1
- Interface - Outside
- IP - xxx.xxx.1.1
- Connection Type - Bidirectional
- Protected Network - xxx.xxx.10.1
- IKE - Default
- Manual Pre-Shared Key - PaS$w0rD
- IPsec - Default
- Advanced tab
- Tunnel - Bypass AC (sysopt permit-vpn)
So this is everything the instructions from cisco said do, but the tunnel is not establishing.
05-05-2022 08:39 AM
Has the VPN been established - run "show crypto ipsec sa" from the CLI of the FTDs, provide the output if it has been established.
Are there routes on the switches to send all traffic to the FTD?
Can the FTD communication with each - ping the outside interface of the other FTD from the CLI?
Run packet-tracer from the CLI of the FTD twice and provide the output of the second packet-tracer output.
Can you enable debugging on the FTD and provide the output for review.
05-05-2022 08:50 AM - edited 05-05-2022 08:55 AM
No, they haven't been established yet, and that command shows me "there are no ipsec sas".
Yes, the routs are directly connected.
Yes, I can ping the outside interface on each FTD in both directions.
I'll try PT and Debug now and let you know what it returns
05-05-2022 09:05 AM - edited 05-05-2022 09:05 AM
Output of Packet-trace
> packet-tracer input outside icmp 192.168.1.1 3 3 192.168.2.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.2.1 using egress ifc identity(vrfid:0)
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560b8b0af854 flow (NA)/NA
05-05-2022 08:42 AM
Solution
if you use two L3SW
in each L3SW config
ip route LAN-remoteSite FTD inside interface
this make the traffic go to inside FTD and then through VPN.
05-05-2022 08:52 AM
05-05-2022 09:01 AM
then the traffic never use tunnel
because it use
InterVLAN
disable routing table
make PC default GW is FTD inside.
05-05-2022 09:02 AM
so I will need a second L3 Switch?
05-05-2022 09:04 AM - edited 05-05-2022 09:11 AM
Yes otherwise the InterVLAN using SVI in SW and not send traffic to FTD
check my workaround
disable routing table
make PC default GW is FTD inside.
05-05-2022 01:26 PM
I did both those and still no luck on getting the VPN established... I am going to see if they will give me another SW to put in and separate them that way... But you have raised a question:
What is the difference of using a separate SW and using two totally different vlans? the same config will go on to the new switch and it will be physically connected in the same way it was logically. I get what you are saying about inter-vlan routing, but given that the IP's are in totally different subnets, to the switch, it may as well be a on different switch, right?
05-05-2022 01:37 PM
using VLAN is same as using two different SW
but are you disable ip routing in SW?
are you config the PC GW to be FTD inside interface ?
check the VLAN you config in port you connect PC as source and VLAN you config in port you connect PC as destination.
05-05-2022 01:40 PM - edited 05-05-2022 01:42 PM
Yes "no ip routing" on the switch, and the gateways on the PCs are10.1 (FTD1 inside) and 20.1 (FTD2 inside)
05-05-2022 01:48 PM
IN FTD 1 share output of this
packet-tracer input Inside tcp x.x.x.x 12345 y.y.y.y 80 detail
x.x.x.x is inside subnet of FTD1
y.y.y.y is remonte subnet
05-06-2022 06:54 AM
> packet-tracer input outside icmp 192.168.1.1 3 3 192.168.2.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.2.1 using egress ifc identity(vrfid:0)
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560b8b0af854 flow (NA)/NA
05-06-2022 07:14 AM
From debug
Route-lookup
Destination is locally connected
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide