FTD Hub and Spoke VPN issue

ctohang99 · ‎09-04-2018

Hi All,

I'm facing the VPN issue with FTD. The VPN tunnels not able to up.

Error Message:

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= CSM_Outbound_map. Map Sequence Number = 1.

Packet Tracer from spoke:

WARNING: 5 sec waittime expire start 1786243, end 1786244,flags 0, trace 0x00000000000688e7/0x00000000000688e7

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.0.1.200 using egress ifc Outbound

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,any) source static SGP-Data_Network SGP-Data_Network destination static DC-Data_Network_T2 DC-Data_Network_T2
Additional Information:
NAT divert to egress interface Outbound
Untranslate 10.0.1.200/443 to 10.0.1.200/443

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268439576
access-list CSM_FW_ACL_ remark rule-id 268439576: ACCESS POLICY: Access Control Policy - SGP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439576: L7 RULE: Monitor_Web_Rule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,any) source static SGP-Data_Network SGP-Data_Network destination static DC-Data_Network_T2 DC-Data_Network_T2
Additional Information:
Static translate 10.0.30.104/5784 to 10.0.30.104/5784

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Inbound
input-status: up
input-line-status: up
output-interface: Outbound
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Any idea to resolve this issue?

Thanks!

balaji.bandi · ‎09-04-2018

As per your packet trace it shows as below :

Drop-reason: (acl-drop) Flow is denied by configured rule

Can you re-run same packet tracer end by adding detailed, this will give more information to identify the issue

example :

packet-tracer (required information as per the syntax) -- detailed

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ctohang99 · ‎09-30-2018

Hi, Please find the below detailed log.

ciscoasa# packet-tracer input Outbound tcp 10.0.30.10 5473 10.0.1.200 443 deta$
WARNING: 5 sec waittime expire start 1290945, end 1290946,flags 0, trace 0x000000000008187f/0x000000000008187f

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b2220323150, priority=1, domain=permit, deny=false
hits=64130508, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Outbound, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.2.3.4 using egress ifc Outbound

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268439576
access-list CSM_FW_ACL_ remark rule-id 268439576: ACCESS POLICY: Access Control Policy - SGP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439576: L7 RULE: Monitor_Web_Rule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x2b222048fbe0, priority=12, domain=permit, deny=false
hits=2241017, user_data=0x2b2217043a80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b222145da40, priority=7, domain=conn-set, deny=false
hits=635901, user_data=0x2b2221458df0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outbound, output_ifc=any

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b221f10ec80, priority=0, domain=nat-per-session, deny=false
hits=676527, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b22203287d0, priority=0, domain=inspect-ip-options, deny=true
hits=2459621, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outbound, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2b221f1250f0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=415741, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=Outbound, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2b221e9608b0, priority=70, domain=encrypt, deny=false
hits=6, user_data=0x0, cs_id=0x2b2220e74770, reverse, flags=0x0, protocol=0
src ip/id=10.0.30.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.0.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=Outbound

Result:
input-interface: Outbound
input-status: up
input-line-status: up
output-interface: Outbound
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Marvin Rhoads · ‎09-05-2018

Packet-tracer will drop the traffic as there's no active VPN in which to put the encrypted packet.

You are getting the message ""Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= CSM_Outbound_map. Map Sequence Number = 1.. That normally indicated a lack of matching IKE proposals. Can you confirm there are overlapping proposals on each end (so that one or more will match)?

ctohang99 · ‎09-30-2018

Hi, May I know how to check? thanks

Marvin Rhoads · ‎09-30-2018

Check the "crypto ipsec" proposal section of both ends. On FTD, you can see that via "show running-config crypto". You didn't mention what the distant end is but you need to run an equivalent command there to confirm that both ends have a proposal in common.

An IPsec proposal includes a set of encryption and integrity algorithms/methods that the devices proposes as acceptable methods to each other. They must have at least one of each in common to establish a VPN.

ctohang99 · ‎10-02-2018

Checked, the same

Hub (In Tier 2):

crypto ipsec ikev2 ipsec-proposal CSM_IP_1
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity null
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map CSM_Outbound_map_dynamic 1 set ikev2 ipsec-proposal CSM_IP_1
crypto dynamic-map CSM_Outbound_map_dynamic 1 set reverse-route
crypto map CSM_Outbound_map 30000 ipsec-isakmp dynamic CSM_Outbound_map_dynamic
crypto map CSM_Outbound_map interface Outbound
crypto ca trustpool policy
crypto isakmp disconnect-notify
crypto ikev2 policy 2
encryption aes-gcm-256
integrity null
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable Outbound

Spoke:

crypto ipsec ikev2 ipsec-proposal CSM_IP_1
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity null
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite
crypto map CSM_Outbound_map 1 match address CSM_IPSEC_ACL_1
crypto map CSM_Outbound_map 1 set peer 1.2.3.4
crypto map CSM_Outbound_map 1 set ikev2 ipsec-proposal CSM_IP_1
crypto map CSM_Outbound_map 1 set reverse-route
crypto map CSM_Outbound_map interface Outbound
crypto ca trustpool policy
crypto isakmp disconnect-notify
crypto ikev2 policy 3
encryption aes-gcm-256
integrity null
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable Outbound

Mohammed al Baqari · ‎09-05-2018

Cross check IKE parameters it seems to have a mismatch. Also, login to FTD
CLI > system support diag. From there run debug crypto ikev1 127

Roy Harrington · ‎10-02-2018

This guy is using IKEV2. Proper commands would be :

In ftd you would need to turn on ssh session debugging in order to get any output.

debug cry con peer (peerip)

debug cry ikev2 pro 127

debug cry ikev2 plat 127

bounce tunnel then do a packet tracer.

Id also suggest not using anything GCM i have seen many issues with this encryption.Also try starting with lower DH,integrity and encryption in order to troubleshoot as this may be anouther factor.

Do you see phase one being built? Check "show cry ikev2 sa" what does it say?