Re: FPD-1010 VPN tunnel Traffic 1 way only

Steve Babcock · ‎11-24-2019

We have FPD-1010 VPNs configured to connect to an ASA-5506-X

1. The tunnel between the sites can be created by traffic generated from either end

2. Only VPN traffic from the FPD-1010 flows

3. Any traffic from the ASA does not get through - ie cannot ping or browse any items on the FPD or behind the FPD device

We created a tunnel from another location using an old 1900 series router and have the same issues - 1 way traffic only although the tunnel can be generated from either end.

The manual NAT rules look to be ok - they're the same as we have at another location

It just look like all VPN traffic generated from an outside source is being dropped

Where's a good place to start to see what's going on ?

Steve

Marvin Rhoads · ‎11-24-2019

If traffic from the ASA side isn't appearing on your local network, check the flow using the ASA packet-tracer tool.

Also, check and confirm the ASA's IPsec security associations:

show crypto ipsec sa

Steve Babcock · ‎11-24-2019

These are the stats I get when I ping from the ASA to the FPD

local crypto endpt.: xxx.xxx.xxx.xxx/500, remote crypto endpt.: yyy.yyy.yyy.yyy/500
path mtu 1492, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F02A8B4F
current inbound spi : 718932BE

inbound esp sas:
spi: 0x718932BE (1904816830)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 209, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193280/28775)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF02A8B4F (4029320015)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 209, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055039/28775)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA Trace ends up with :

Result is Packet is allowed

This is an issue on the FTD end - not the ASA end as we've tried other VPN connection to the FTD and the all fail in this same manner

Marvin Rhoads · ‎11-24-2019

You've only shared part of the "show ipsec sa" output.

Try checking that at both ends and look for encaps matching decaps at the other end and vice versa.

Peter Long · ‎06-18-2020

Spoiler

Was this ever resolved I'm seeing the same thing? (FTD1010 to ASA 5525)

P

Peter Long · ‎06-18-2020

Oh Never mind fixed it - the FTD doesn't dynamically add traffic flows to allow VPN traffic.

Pete

Steve Babcock · ‎06-18-2020

Even after adding traffic flow, I could not get the VPN to work properly.

I ended up converting it to an ASA where I could see what was going on. Everything worked fine after that

Peter Long · ‎06-18-2020

Hi Steve, thanks for the feedback. I'll get round to writing up how I did it and post the link here later on, for anyone else's benefit.

Glad you got fixed in the end!

EDIT: Here's how I fixed it:

Cisco FTD Site to Site VPN

Pete