Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1550
Views
6
Helpful
41
Replies

Cisco FMC RA VPN Issue

Dipak Masurkar
Level 1
Level 1

‎06-26-2023 01:00 AM - edited ‎06-29-2023 12:06 AM

Cisco FMC 1600 after configuring RA vpn not able to connect, but meanwhile trying S2S vpn it is working properly.

1: 13:20:11.748359 1.1.1.1.648 > 10.10.10.5.137: udp 50
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.10.5 using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559e326ae1fa flow (NA)/NA

Labels:
0 Helpful
41 Replies 41

Dipak Masurkar
Level 1
Level 1

‎06-26-2023 01:01 AM

Getting this error while taking capture on FTD.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 01:07 AM

Config acl to allow vpn subnet form 

Out->In zone 

Form 

In->Out zone 

0 Helpful

Dipak Masurkar
Level 1
Level 1
In response to MHM Cisco World

‎06-26-2023 01:09 AM

Any to Any rule is already there...

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 01:11 AM

Both directions?

0 Helpful

Dipak Masurkar
Level 1
Level 1
In response to MHM Cisco World

‎06-26-2023 01:32 AM

Yes,

 

0 Helpful

Dipak Masurkar
Level 1
Level 1

‎06-26-2023 01:32 AM

 My S2S vpn is working properly.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 01:35 AM

Do same packet tracer but add detail and show me packet tracer you use and result 

0 Helpful

Dipak Masurkar
Level 1
Level 1
In response to MHM Cisco World

‎06-26-2023 02:41 AM - edited ‎06-29-2023 12:07 AM

3 packets captured

1: 13:20:11.748359 1.1.1.1.648 > 10.10.10.5.137: udp 50
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.10.5 using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559e326ae1fa flow (NA)/NA


2: 13:20:13.260682 114.143.128.90.648 > 10.10.10.5.137: udp 50
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.10.5 using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559e326ae1fa flow (NA)/NA


3: 13:20:14.777486 114.143.128.90.648 > 10.10.10.5.137: udp 50
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.10.10.5 using egress ifc identity(vrfid:0)

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000559e326ae1fa flow (NA)/NA


3 packets shown

0 Helpful

Rob Ingram
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 02:49 AM

@Dipak Masurkar are you troubleshooting why an anyconnect VPN client will not establish a VPN connection? if so, then packet-tracer is not going to give this information, packet-tracer is used for traffic "through" the FTD, not "to".

What protocol is the anyconnect client attempting to use? IPSec or SSL/TLS, if IPSec have you configure the anyconnect XML profile to explictly use IPSec?

What about checking the AnyConnect DART logs for clues?

Run a packet capture on the FTD to determine if there is even a connection attempt.

0 Helpful

Dipak Masurkar
Level 1
Level 1
In response to Rob Ingram

‎06-26-2023 02:57 AM

I am using SSL/TLS .

Can you help me with steps to collect DART logs.

0 Helpful

Rob Ingram
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 03:48 AM - edited ‎06-26-2023 04:15 AM

@Dipak Masurkar you did not answer the question, are you unable to establish a VPN connection in the first place?

Collect DART logs -

https://community.cisco.com/t5/security-knowledge-base/how-to-collect-the-dart-bundle-for-anyconnect/ta-p/3156025
https://community.cisco.com/t5/vpn/how-to-read-dart-logs-for-anyconnect-troubleshooting/td-p/3359204

Run a packet capture of tcp/443 and udp/443 destined to your outside interace IP address, to confirm inbound traffic.

I notice in another response the outside interface is a private IP address, I assume you have NAT setup correctly for tcp/443 and udp/443 on the device in front of the FTD?

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 02:50 AM

You use public IP in packet trace?

You need to use private IP (ip from vpn pool) in packet trace.

Use private IP and check result again 

0 Helpful

Dipak Masurkar
Level 1
Level 1
In response to MHM Cisco World

‎06-26-2023 02:58 AM

No, I am using source as my laptop public ip and destination as private ip of FTD outside interface.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Dipak Masurkar

‎06-26-2023 03:01 AM

This not work friend'

Packet tracer to test anyconnect  neet to use 

Private ip (any ip from vpn pool) and destiantion will be the INside subnet (any ip from INside subnet'that anyconnect allow to connect it)

This must be the way.

0 Helpful
Customers Also Viewed These Support Documents