Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
4
Replies

FTD self-generated traffic not working

ElizabethKh
Spotlight
Spotlight

‎01-17-2026 12:44 AM

Hello, I have the following issue.

On my FTD, one of the gateways on the TEST side is 172.12.100.240.
I also have a Site-to-Site VPN configured, and I want to reach the gateway address 192.168.40.20 through this tunnel.

The tunnel includes the entire network 172.12.100.0/24, and hosts within this network can access remote resources without any issues.

However, when I tried to test the connectivity from the FTD CLI itself, I received the following result:

TEST-network = 172.12.100.0/24

> packet-tracer input TEST tcp 172.12.100.240 40000 192.168.40.20 3389

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (TEST,Internet) source static TEST-network TEST-network destination static 192.168.40.0/24 192.168.40.0/24 no-proxy-arp
Additional Information:
NAT divert to egress interface Internet(vrfid:0)
Untranslate 192.168.40.20/3389 to 192.168.40.20/3389

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: TEST(vrfid:0)
input-status: up
input-line-status: up
output-interface: Internet(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule


In summary:

Traffic from hosts in 172.12.100.0/24 works fine through the Site-to-Site VPN

Traffic sourced from the FTD itself (172.12.100.240) is dropped by an implicit ACL rule

I would appreciate any guidance on how to properly allow FTD-sourced traffic through the VPN.

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎01-17-2026 12:55 AM - edited ‎01-17-2026 04:41 AM

@ElizabethKh using the FTD's physical interface IP address would not work with packet tracer. However you've proved "through" traffic works over the VPN, so the VPN is working, If you just want to test with real traffic from the FTD itself, create a loopback interface on the FTD (requires version 7.4+) and use that as the source.

0 Helpful

ElizabethKh
Spotlight
Spotlight
In response to Rob Ingram

‎01-17-2026 01:02 AM

THank you so much for clarify, 

ElizabethKh_0-1768640472248.png

i dont have loopback cause my FTD version is 

ElizabethKh_1-1768640516706.png



i want to my physical interface have an access to this server 192.168.40.20

 

0 Helpful

Rob Ingram
VIP
VIP
In response to ElizabethKh

‎01-17-2026 04:40 AM

@ElizabethKh packet tracer is for "through" traffic not for self-generated traffic, so you won't get the desired result using packet tracer.

If you wish to generate real traffic from the FTD (or ASA) itself, you can source it from from a loopback, therefore you'd need to upgrade if you actually want that functionality.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to ElizabethKh

‎01-18-2026 05:23 AM

Hi,

   If you need FTD generated traffic from physical interface X to be allowed and reach a destination over an IPsec tunnel, it's not gonna work. For such purpose, you need to generate FTD traffic sourced from Loopback interface.

    Other than building an IPsec tunnel sourced from the Loopback on the FTD, for any other traffic sourced from the Loopback you need to run minimum version 7.4, see here the list of supported traffic sourced from the Loopback:

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-ifcs-firewall.html

Thanks,

Cristian.

0 Helpful
Customers Also Viewed These Support Documents