Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1385
Views
0
Helpful
7
Replies

Firepower doesn't accept ipsec connections

Vasily48961
Level 1
Level 1

‎01-12-2021 11:18 PM

Hi! What I need to configure on Firepower 1010 to accept IPSec connections? What happens now: SiteA - FP1010, SiteB - pfSense. When I try to init ipsec from SiteB to SiteA FP1010 doesn't accept isakmp packets:

09:26:49.677339 IP B.B.B.B.500 > A.A.A.A.500: isakmp: phase 1 I ident
09:27:02.664518 IP B.B.B.B.500 > A.A.A.A.500: isakmp: phase 1 I ident
09:27:26.066155 IP B.B.B.B.500 > A.A.A.A.500: isakmp: phase 1 I ident

but if I init ipsec from SiteA to SiteB (by ping IP behind SiteB) it successfully established.

Any ideas why it could happend?

Labels:
0 Helpful
7 Replies 7

Mohammed al Baqari
Level 11
Level 11

‎01-13-2021 01:53 AM

Hi,

Check your configuration as per below.

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/215470-site-to-site-vpn-configuration-on-ftd-ma.html

***** please remember to rate useful posts
0 Helpful

Vasily48961
Level 1
Level 1
In response to Mohammed al Baqari

‎01-13-2021 02:41 AM

Already did that but still no luck

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Vasily48961

‎01-13-2021 03:04 AM

>From FTD, get the output of debug crypto isa (from CLISH) and send it.

***** please remember to rate useful posts
0 Helpful

Vasily48961
Level 1
Level 1
In response to Mohammed al Baqari

‎01-13-2021 03:09 AM 

> debug crypto isa
Syntax error: Illegal parameter
> debug crypto
  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  goid        Set crypto map GOID debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  ss-api      Set Crypto Secure Socket API debug levels
  vpnclient   Set EasyVPN client debug levels

trying debug crypto ikev1

0 Helpful

Vasily48961
Level 1
Level 1
In response to Mohammed al Baqari

‎01-13-2021 03:21 AM

I don't know how to enable "term mon" with FDM GUI but I've increased buffer logging level to DEBUG but nothing there:

> show logging | include B.B.B.B
>

so looks like firepower just drops all isakmp requests. BTW debug is enabled:

> show debug
debug crypto ikev1 enabled at level 100
debug crypto ike-common enabled at level 100

Conditional debug filters:

Conditional debug features:

>
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Vasily48961

‎01-13-2021 04:39 AM

Do the debug from the LINA cli ("system support diagnostic-cli" and then "en").

0 Helpful

Vasily48961
Level 1
Level 1
In response to Marvin Rhoads

‎01-13-2021 04:55 AM

Hi Marvin,

 

Sorry for the stupid question but:

gb3# terminal monitor
Monitor option not supported for the console.

is there any chance to see debug output like in "good old times"?

0 Helpful
Customers Also Viewed These Support Documents