Re: Firepower S2S VPN

jamesupcott1 · ‎10-04-2018

Hi All

We are currently in the process of migrating a number of S2S VPNs from ASA to Firepower. All have been successful, other than one.

The issue with the one that isn't working is the following:

-Tunnel forms both phase 1 and 2

-Traffic traverses VPN successfully.

-Remote location has ping connectivity over VPN

-Incoming traffic is unable to come in via the VPN on other ports e.g. 3389 RDP. I have no visibility of this traffic either.

I am having trouble diagnosing the problem as I don't have a visual live log. I have carried out packet captures however I see nothing. In FMC in the event viewer I see the ICMP traffic being permitted through, however nothing else regarding the failed traffic.

I applied an ACL permitting all traffic from the remote end, so my ACL is allowing everything. And I have set the ACL to trust which will bypass our IPS to ensure that isn't blocking any incoming traffic.

Any thoughts or ideas would be appreciated.

Kind Regards

James

Dennis Mink · ‎10-04-2018

If you are seeing icmp traffic from the other end but nothing on port 3389, i would start looking at the other end

Please remember to rate useful posts, by clicking on the stars below.

jamesupcott1 · ‎10-04-2018

Thanks Dennis, but the remote end hasn't changed setup.

We have simply lifted our ASA out the equation, and replaced with Firepower. The VPN worked correctly when ASA was in place, and the remote end configuration hasn't changed.