Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
861
Views
0
Helpful
2
Replies

IPSEC VPN || FTD-7-710006: ESP request discarded

priyaranjan.das
Level 1
Level 1

‎04-10-2022 02:49 PM

Hi Team,

We have a S2S VPN with IKEv1 configuration between Cisco Firepower ver 6.4.0.9 and Checkpoint(on AWS) ver R80.10.

All VPN parameters match exactly but the VPN even though shows active it does not allow any traffic flow, few hours before the the Phase 1 Lifetime expires.

The only way to make it work is doing a VPN Phase 1 reset which immediately restores the tunnel. The next days the issue reoccurs with the same logs and we have to perform reset.

We get following logs on Firepower:

%FTD-7-710006: ESP request discarded from <Remote GW IP> to Port-Channel-3.2003-External:<Local GW IP>

 

Is there a known issue between Cisco & Checkpoint or could be due to a configuration mismatch at one end. We have verified the VPN Phase 1 and Phase 2 config multiple times and it matches exactly. Any inputs please would be helpful.

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎04-10-2022 03:26 PM - edited ‎04-10-2022 03:27 PM

IKEv1 or IKEv2?
IKEv2 after finish Phase2 they build Key with PFS and then they regenerate the key if you not enable this in both side then the traffic is drop.

0 Helpful

Sheraz.Salim
VIP
VIP

‎04-11-2022 04:18 AM


Is the FTD setup for VPN correctly. what is your tunnel group configuration. If outbound is working and inbound is not working, then that
means the FTD is not able to receive the VPN traffic properly.

what is the config on the show run cry map

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents