Logs for Firepower 1120 and AWS Site-to-Site VPN

ea_msk · ‎05-20-2021

I am trying to configure a Site-to-site VPN between our company and AWS. I entered the Firepower web interface and configured the Tunnel IP, encryption protocols and also the keys (IKEv1). I made sure to follow exactly the instructions from the AWS configuration file, without success.

My goal for the time being is just to connect the Firepower to one of the Tunnels AWS has, but it does not matter what I do, I only see the status DOWN. Previously, I tried to configure a machine inside the network to connect to the tunnels using strongswan and I could see the status as UP. But with our firewall that is not possible.

My question is: where do I find the log files for the VPN, specially the connection between the Firepower device and the Amazon Tunnel?

Rob Ingram · ‎05-20-2021

@ea_msk

You are using a route based VPN, did you configure a static route or setup BGP in order to route traffic over the VPN?

Has the tunnel established? Login to the CLI and run "show crypto ipsec sa", provide the output for review.

If the tunnel has not established, you can enable debug logs using "debug crypto ikev1 128" provide the output for review.

ea_msk · ‎05-20-2021

1) I added a static route;

2) The tunnel has not been established. I cannot see it connected from the Amazon side - as I could with the test I did using strongswan installed in a separate machine.

3) debugging crypto gives me the following:

> show crypto ikev1 stats

Global IKEv1 Statistics
  Active Tunnels:              0
  Previous Tunnels:            0
  In Octets:               58752
  In Packets:                306
  In Drop Packets:           310
  In Notifys:                  0
  In P2 Exchanges:             0
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Delay Ex Rejects:      0
  In P2 Sa Delete Requests:    0
  In P2 Dup Remote Proxy:      0
  Out Octets:              62424
  Out Packets:               306
  Out Drop Packets:            0
  Out Notifys:               306
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:   0
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:           306
  System Capacity Fails:       0
  Auth Fails:                  0
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                 0

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                 49
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:            1
  In-Negotiation SAs Rejected:             0
> show crypto ikev1 sa

There are no IKEv1 SAs
> show crypto ikev1 ipsec-over-tcp

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

I can see no data has been sent or received, but that must be because the connection has not been established. Is there a way to see the handshake log or something like that?

Rob Ingram · ‎05-20-2021

That's not the debug information, as I said before - you can enable debug logs using "debug crypto ikev1 128" provide the output for review.

Provide the output of "show runnning-config" for review and the AWS link you used to configure the VPN so I can compare for you.

ea_msk · ‎05-20-2021

I did enable crypto debug, but I thought the show command would display more useful information.

> show running-config
: Saved
:
: Diagnostic interface mode: BRIDGE
:

: 
: Serial Number: J********
: Hardware:   FPR-1120, 5274 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores)
:
NGFW Version 6.7.0.1 
!
hostname firewall01
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto



!
interface Ethernet1/1
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 8.51.12.13 255.255.255.248 
!
interface Ethernet1/2
 nameif inside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 180.10.0.254 255.255.0.0 
!
interface Ethernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/9
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/10
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/11
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet1/12
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif diagnostic
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup inside
dns domain-lookup outside
dns server-group CiscoUmbrellaDNSServerGroup
 name-server 208.67.222.222 
 name-server 208.67.220.220 
dns server-group GoogleDNSGroup
 name-server 8.8.8.8 
 name-server 8.8.4.4 
dns server-group ProviderDNSServerGroup
 name-server 9.101.85.1 
 name-server 9.101.85.2
dns-group GoogleDNSGroup
object network any-ipv4
 subnet 0.0.0.0 0.0.0.0
object network any-ipv6
 subnet ::/0
object network git.wok.intranet
 host 180.10.0.92
object network any-ipv4-network
 subnet 0.0.0.0 0.0.0.0
object network intranet-ipv4
 subnet 180.10.0.0 255.255.0.0
object network provider.gateway
 host 200.13.55.89
object network openswan.wok.intranet
 host 180.10.0.34
object network firewall01.wok.intranet
 host 180.10.0.254
object network site.office
 host 200.13.50.23
object network www2.wok.com
 host 4.4.12.11
object network external.wok.intranet
 host 180.10.0.33
object network svaneke.wok.intranet
 host 180.10.0.67
object network aws-intranet-eu-1a
 subnet 162.16.0.0 255.255.0.0
object network lnx1.wok.intranet
 host 180.10.25.74
object network aws-tun-1
 host 3.2.7.127
object network aws-tun-2
 host 3.2.7.128
object service _|NatOrigSvc_awb8145a-1179-11ac-78cd-11cwef2a3a16
 service tcp source eq https 
object service _|NatMappedSvc_cef8067a-8180-11eb-83cd-35c7ef2f3a56
 service tcp source eq https 
object service _|NatOrigSvc_81aa647a-8195-11eb-83cd-712a1b510398
 service udp source eq 1194 
object service _|NatMappedSvc_81aa647a-8195-11eb-17fd-774f0b510398
 service udp source eq 1194 
object service _|NatOrigSvc_67a5011b-8191-11eb-23cd-01d66cca9234
 service tcp source eq ssh 
object service _|NatMappedSvc_12a8161aa-8191-88af-83cd-01d66cca9234
 service tcp source eq 15126 
object service _|NatOrigSvc_2d2ff540-8195-11eb-83cd-47d867e5e435
 service tcp source eq ssh 
object service _|NatMappedSvc_2d2ff540-8195-11eb-83cd-47d867e5e435
 service tcp source eq 15445 
object-group service |acSvcg-268435469
 service-object tcp destination eq https 
 service-object udp destination eq 1194 
object-group service |acSvcg-268435473
 service-object tcp destination eq ssh 
object-group service |acSvcg-268435472
 service-object tcp destination eq ssh 
object-group service |acSvcg-268435466
 service-object ip 
object-group network |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5
 network-object object intranet-ipv4
object-group network |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5
 network-object object aws-intranet-eu-1a
access-list NGFW_ONBOX_ACL remark rule-id 268435469: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435469: L5 RULE: Out_In_remoteX
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 ifc outside any ifc inside object external.wok.intranet rule-id 268435469 
access-list NGFW_ONBOX_ACL remark rule-id 268435473: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435473: L5 RULE: Atom_In_git
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435473 ifc outside object www2.wok.com ifc inside object git.wok.intranet rule-id 268435473 
access-list NGFW_ONBOX_ACL remark rule-id 268435472: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435472: L5 RULE: Out_In_remoteO
access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435472 ifc outside any ifc inside object openswan.wok.intranet rule-id 268435472 
access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: In_Out_Traffic
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc outside any rule-id 268435466 
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 
access-list |s2sAcl|e31bda2d-b880-11eb-9410-a3592e1b7dd5 extended permit ip object-group |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 object-group |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 
pager lines 24
logging enable
logging timestamp
logging list debugging_filter level debugging class ip
logging list debugging_filter level debugging class np
logging list debugging_filter level debugging class ospf
logging buffer-size 20000
logging console debugging
logging buffered critical
logging permit-hostdown
mtu diagnostic 1500
mtu inside 1500
mtu outside 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 destination static |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 no-proxy-arp route-lookup
nat (inside,outside) source static external.wok.intranet interface service _|NatOrigSvc_awb8145a-1179-11ac-78cd-11cwef2a3a16 _|NatMappedSvc_cef8067a-8180-11eb-83cd-35c7ef2f3a57
nat (inside,outside) source static external.wok.intranet interface service _|NatOrigSvc_81aa647a-8195-11eb-83cd-774f0b510398 _|NatMappedSvc_81aa647a-8195-11eb-83cd-774f0b510398
nat (inside,outside) source static openswan.wok.intranet interface service _|NatOrigSvc_12a8161aa-8191-88af-83cd-01d66cca9234 _|NatMappedSvc_12a8161aa-8191-88af-83cd-01d66cca9234
nat (inside,outside) source static git.wok.intranet interface service _|NatOrigSvc_2d2ff540-8195-11eb-83cd-47d867e5e435 _|NatMappedSvc_2d2ff540-8195-11eb-83cd-47d867e5e435
nat (inside,outside) source static any interface
nat (outside,inside) source static aws-intranet-eu-1a intranet-ipv4
nat (inside,outside) source static intranet-ipv4 aws-intranet-eu-1a
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 200.13.55.89 1
route outside 162.16.0.0 255.255.0.0 3.2.7.127 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http ::/0 inside
http 0.0.0.0 0.0.0.0 inside
ip-client outside ipv6
ip-client outside
ip-client inside ipv6
ip-client inside
ip-client diagnostic ipv6
ip-client diagnostic
snmp-server group AUTH v3 auth 
snmp-server group PRIV v3 priv 
snmp-server group NOAUTH v3 noauth 
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set AWS-IPSEC-VPN esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|e31bda2d-b880-11eb-9410-a3592e1b7dd5
crypto map s2sCryptoMap 1 set pfs 
crypto map s2sCryptoMap 1 set peer 3.2.7.127 
crypto map s2sCryptoMap 1 set ikev1 transform-set AWS-IPSEC-VPN
crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800
crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 4
 authentication pre-share
 encryption aes-256
 hash sha
 group 14
 lifetime 28800
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh ::/0 inside
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client 
 webvpn
  anyconnect ssl dtls none
group-policy |s2sGP|3.2.7.127 internal
group-policy |s2sGP|3.2.7.127 attributes
 vpn-tunnel-protocol ikev1 
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 3.2.7.127 type ipsec-l2l
tunnel-group 3.2.7.127 general-attributes
 default-group-policy |s2sGP|3.2.7.127
tunnel-group 3.2.7.127 ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
  inspect snmp 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
app-agent heartbeat interval 1000 retry-count 3
snort preserve-connection
no dp-tcp-proxy
Cryptochecksum:a67ff12b89e324a1123ee6fe4179e126
: end

ea_msk · ‎05-21-2021

Doesn't say much, to be fair.