Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2344
Views
0
Helpful
7
Replies

FPD-1010 VPN tunnel Traffic 1 way only

Steve Babcock
Level 1
Level 1

‎11-24-2019 03:21 AM

We have  FPD-1010 VPNs configured to connect to an ASA-5506-X

 

1. The tunnel between the  sites can be created by traffic generated from either end

2. Only VPN traffic from the FPD-1010 flows

3. Any traffic from the ASA does not get through - ie cannot ping or browse any items on the FPD or behind the FPD device

 

We created a tunnel from another location using an old 1900 series router and have the same issues - 1 way traffic only although the tunnel can be generated from either end.

 

The manual NAT rules look to be ok - they're the same as we have at another location

 

It just look like all VPN traffic generated from an outside source is being dropped

 

Where's a good place to start to see what's going on ?

 

Steve

 

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-24-2019 04:09 AM

If traffic from the ASA side isn't appearing on your local network, check the flow using the ASA packet-tracer tool.

Also, check and confirm the ASA's IPsec security associations:

show crypto ipsec sa

 

0 Helpful

Steve Babcock
Level 1
Level 1
In response to Marvin Rhoads

‎11-24-2019 04:19 AM

These are the stats I get when I ping from the ASA to the FPD

 

local crypto endpt.: xxx.xxx.xxx.xxx/500, remote crypto endpt.: yyy.yyy.yyy.yyy/500
path mtu 1492, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F02A8B4F
current inbound spi : 718932BE

inbound esp sas:
spi: 0x718932BE (1904816830)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 209, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193280/28775)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF02A8B4F (4029320015)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 209, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055039/28775)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

ASA Trace ends up with :

Result is Packet is allowed

 

 

This is an issue on the FTD end - not the ASA end as we've tried other VPN connection to the FTD and the all fail in this same manner

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Steve Babcock

‎11-24-2019 06:09 AM

You've only shared part of the "show ipsec sa" output.

Try checking that at both ends and look for encaps matching decaps at the other end and vice versa.

0 Helpful

Peter Long
Level 1
Level 1

‎06-18-2020 04:22 AM

Spoiler
Was this ever resolved I'm seeing the same thing? (FTD1010 to ASA 5525)

P
0 Helpful

Peter Long
Level 1
Level 1
In response to Peter Long

‎06-18-2020 04:47 AM

Oh Never mind fixed it - the FTD doesn't dynamically add traffic flows to allow VPN traffic.

Pete
0 Helpful

Steve Babcock
Level 1
Level 1
In response to Peter Long

‎06-18-2020 05:35 AM

Even after adding traffic flow, I could not get the VPN to work properly.

I ended up converting it to an ASA where I could see what was going on. Everything worked fine after that

0 Helpful

Peter Long
Level 1
Level 1
In response to Steve Babcock

‎06-18-2020 06:45 AM - edited ‎06-22-2020 01:40 AM

Hi Steve, thanks for the feedback. I'll get round to writing up how I did it and post the link here later on, for anyone else's benefit.

Glad you got fixed in the end!

 

EDIT: Here's how I fixed it: 

 

 

Pete

0 Helpful
Customers Also Viewed These Support Documents