04-28-2023 04:39 AM
The tunnel is always up but the child objects keep disappearing from the tunnel.
I have to run the packet trace to simulate a PING from the interest IP to the NAT IP to bring the hosts back into the tunnel.
firepower# packet-tracer input inside icmp 10.14.90.70 8 0 10.1.2.164
I have to run the above command 4 times to bring all 4 hosts back to the tunnel. Then I check the tunnel with the following command to confirm 4 host IPs are showing
firepower# sh crypto ipsec sa peer <peer ip> | inc ip
What would cause the child objects to disappear from the tunnel and is there a way to get notified?
Solved! Go to Solution.
04-28-2023 10:08 AM
@Shao if the VPN has already been working, it is likely your device is configured as bidirectional (meaning you can either be initator or responder) - this setting is default.
If the vendor is downloading from your server, get them to probe your server using a ping from their system. That will ensure the tunnel stays up.
04-28-2023 04:43 AM
@Shao it's because it's a policy based VPN and interesting traffic needs to be generated to maintain the IPSec SA.
If you used a routed based VPN (VTI) on the FTD the tunnel would always be up.
04-28-2023 06:48 AM
Thank you for the info.
I do not see VTI on the FTD. When I try to add interfaces, I only see Sub Interface and Bridge Group Interface. Is it because the FTD version I am running on? I have Firepower 9000 SM-44 running on version 6.6.5
04-28-2023 07:00 AM
@Shao ok, VTI was only introduced in 6.7, you'd have to upgrade to get that functionality.
I assume your problem is because there is no traffic being sent and the IPSec SA times expired. If you don't wish to upgrade, you just need to continually generate interesting traffic, send a ping to a device on the other side of the VPN tunnel. You can use EEM or IP SLA or our Network Management System.
04-28-2023 07:50 AM
This is what I get when I ran sh crypto isakmp sa, and that to me it sounds like an empty tunnel...lol
IKEv2 SAs:
Session-id:132489, Status:UP-IDLE, IKE count:1, CHILD count:0
Tunnel-id Local Remote Status Role
194732305 <my IP>/4500 <peer IP>/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/17117 sec
I asked the system co-owner to run a continuous PING from the box, and he is not sure if he is permitted to do so.
I am interested to learn about EEM, IP SLA or Network Management System.
Thank you,
04-28-2023 07:53 AM - edited 04-28-2023 07:56 AM
INITIATOR <<- this side is INITIATOR so only this side can start build child IKE SA,
you need to make other side INITATOR.
that it no need EEM or IP SLA
Tunnel-id Local Remote Status Role
194732305 <my IP>/4500 <peer IP>/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/17117 sec
04-28-2023 05:36 AM
That interest Q'
Let start TS
Now what is your FW initiator or response only ?
04-28-2023 07:54 AM
Talked with the application owner. Sounds like we are the responders.
The vendor runs the SQL connections to grab our data.
04-28-2023 07:55 AM
NO your FW is initiator as you share above
04-28-2023 10:05 AM
Checked with the vendor side and they are set as INITIATOR.
How do I flip my end from INITIATOR to the RESPONDER role?
04-28-2023 10:08 AM
@Shao if the VPN has already been working, it is likely your device is configured as bidirectional (meaning you can either be initator or responder) - this setting is default.
If the vendor is downloading from your server, get them to probe your server using a ping from their system. That will ensure the tunnel stays up.
04-28-2023 10:12 AM
I believe I found the answer. Changed from Bidirectional to Answer-Only for the Connection Type.
04-28-2023 10:15 AM
@Shao that means you cannot establish the tunnel if it is down (as you said you did in the first post), the peer must initiate the tunnel. That might suffice for normal operation, but won't help keep the tunnel up.
04-28-2023 10:23 AM - edited 04-28-2023 10:27 AM
Please check my above comment.
Thanks
MHM
04-28-2023 10:26 AM
Sorry if other side change to be initiator
Then no need any change from your side
Just keep the vpn status.
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide