cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1923
Views
2
Helpful
23
Replies

FTD (Behind NAT ISP Modem) FMC site-to-site Fortigate

bristi
Level 1
Level 1

We have Cisco FTD 1150 and I have established a site-to-site tunnel with a FortiGate device. FTD is situated behind (NAT) through an Internet Service Provider (ISP) modem, resulting in a private IP configuration. Despite configuring the connection type as 'Originate Only' instead of bidirectional, I encountered issues with traffic passing through the tunnel. I have tried various solutions, including enabling NAT-Traversal, but the problem persists. Upon analyzing the debug logs, I noticed that the FTD shows both encapsulation and decapsulation counters, while the FortiGate only displays encapsulation counters without any corresponding decapsulation counters. I am seeking assistance in troubleshooting this matter, as it has become a source of frustration for me. Please advise on the information you need from my end to further investigate and resolve this issue. Cisco TAC kept insisting that issue is coming from ISP. Sorry I had to hide the public IP's and replace with x.x.x.x

From FTD

> show crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: CSM_outside-goplc1_map, seq num: 2, local addr: 10.11.255.5

access-list 10.10.216.0-interesting-traffic extended permit ip 10.10.216.0 255.255.255.240 10.11.20.0 255.255.255.0 log
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (10.10.216.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (10.11.20.0/255.255.255.0/0/0)
current_peer: x.x.x.x

#pkts encaps: 7935, #pkts encrypt: 7935, #pkts digest: 7935
#pkts decaps: 6696, #pkts decrypt: 6696, #pkts verify: 6696
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7935, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

From Fortigate

diagnose vpn tunnel list name Headoffice
list ipsec tunnel by names in vd 0
------------------------------------------------------

proxyid_num=1 child_num=0 refcnt=6 ilast=1 olast=0 ad=/0
stat: rxp=0 txp=28837 rxb=0 txb=2420988
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1362
natt: mode=keepalive draft=0 interval=10 remote_port=4500
fec: egress=0 ingress=0
proxyid=Headoffice proto=0 sa=1 ref=3 serial=2
src: 0:10.11.20.0-10.11.20.255:0
dst: 0:10.10.216.0-10.10.216.15:0
SA: ref=3 options=10024 type=00 soft=0 mtu=1422 expire=20765/0B replaywin=0
seqno=1d88 esn=0 replaywin_lastseq=00000000 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=28503/28800
dec: spi=8e3faaa1 esp=aes key=32 8d96bdf6bd394779a9049923ec95ba5ec31ff148eaf4ae93f4d49636d47c39a6
ah=sha256 key=32 fac1966f56b065a08456e5ff0ff6869676728eb0589df65ea417a4811532ee71
enc: spi=0719df97 esp=aes key=32 5f8e16550d144f87eef61b5a7128311e00a197cadf5d0d839d2300fc6d791465
ah=sha256 key=32 4e6bcac979645cd39cff10676468912378773c8edc5cda02b40aa890b523c4e9
dec:pkts/bytes=0/0, enc:pkts/bytes=15118/1874352
npu_flag=00 npu_rgwy=x.x.x.x npu_lgwy=195.158.86.175 npu_selid=e dec_npuid=0 enc_npuid=0
run_tally=0

 

23 Replies 23

First, You need to enable NAT-T on both sides to make this work. Which IKE version are you running? I would go primarily with IKEv2 here.

With the given packet counters, either your modem/router drops outgoing packets or the remote side drops incoming packets. Can you capture packets on the outside of either *your* modem or the device that is in front of the Fortinet? BTW: the problem with hiding IP addresses is that you often overlook IPs in debug or log messages ...

 

Hey Karsten,

NAT-T is activated on both ends, and I'm utilizing IKEv2. The remote peer (Fortigate) is definitely not dropping any packets, as numerous site-to-site configurations exist on that firewall. The remote peer possesses a static public IP, eliminating that as the issue. The complication arises from the FTD. For instance, on the same tunnel, with identical settings but on a different ISP, it functions on the FTD. The only hindrance is with the other ISP, as it employs a PPPoE connection. Unfortunately, PPPoE is not supported on FTD HA units, which is regrettable. Consequently, we are employing a private IP NATed to their modem. Despite trying various solutions, the tunnel is established, but communication with each other's hosts remains unattainable.

Can you test a different modem/router? With these counters, a malfunction on this device is very likely (but not 100% …). I once had a zyxel that dropped NAT-T Packets …

And/or build a test tunnel to a different destination?

It's likely the issue lies with the modem, but I'd like to exhaust all troubleshooting options before drawing any conclusions. Perhaps I can use another modem, such as PFSENSE, configure it as a modem, and give it a try. This way, I'll have full control over it, unlike the ISP's modem. I experimented with various tunnels, and they all exhibit the same behavior when there's a firewall behind NAT. I recall that with the ASA, enabling NAT-T resolved the issue seamlessly. However, the FTD behaves differently from the ASA. Cisco did a poor job with the fact that PPPoE is unsupported on HA units, and this is a recognized issue on these specific models.

For VPNs, FTD is nearly exactly as the ASA. The ASA is still the dataplane for FTD and VPNs run there. PPPoE is a problem, but how should it work in the actual HA model where both interfaces need to communicate. But Yes, I also would like to see an active/passive model for PPPoE where the active unit always has the PPPoE connection.

Hi friend again 
I see the packet pass through Snort, I dont think this is right, can you add prefilter to bypass Snort and check again 
thanks 
MHM

Screenshot (601).png

Hello Friend,

Thanks for reaching out again,

Can you please tell me how to perform this from FMC?

 

sure, please  remove the solve from my post, make this case open until we sure that my suggestion is solve issue 
for prefilter 
https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html

thanks 
MHM

Sorry, I removed the resolve port, by mistake I clicked on that before. Having said that can we do a remote session please? 

I can share the screen, maybe you will assist me like that