Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
3
Helpful
15
Replies

Lossing Child Objects in Site to Site

Go to solution
Shao
Level 1
Level 1

‎04-28-2023 04:39 AM

The tunnel is always up but the child objects keep disappearing from the tunnel.

I have to run the packet trace to simulate a PING from the interest IP to the NAT IP to bring the hosts back into the tunnel.

 

firepower# packet-tracer input inside icmp 10.14.90.70 8 0 10.1.2.164

 

I have to run the above command 4 times to bring all 4 hosts back to the tunnel. Then I check the tunnel with the following command to confirm 4 host IPs are showing

firepower# sh crypto ipsec sa peer <peer ip> | inc ip

 

What would cause the child objects to disappear from the tunnel and is there a way to get notified?

 

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Shao

‎04-28-2023 10:08 AM

@Shao if the VPN has already been working, it is likely your device is configured as bidirectional (meaning you can either be initator or responder) - this setting is default.

If the vendor is downloading from your server, get them to probe your server using a ping from their system. That will ensure the tunnel stays up.

View solution in original post

0 Helpful
15 Replies 15

Go to solution
Rob Ingram
VIP
VIP

‎04-28-2023 04:43 AM

@Shao it's because it's a policy based VPN and interesting traffic needs to be generated to maintain the IPSec SA.

If you used a routed based VPN (VTI) on the FTD the tunnel would always be up.

0 Helpful

Go to solution
Shao
Level 1
Level 1
In response to Rob Ingram

‎04-28-2023 06:48 AM

Thank you for the info.

I do not see VTI on the FTD. When I try to add interfaces, I only see Sub Interface and Bridge Group Interface. Is it because the FTD version I am running on? I have Firepower 9000 SM-44 running on version 6.6.5

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Shao

‎04-28-2023 07:00 AM

@Shao ok, VTI was only introduced in 6.7, you'd have to upgrade to get that functionality.

I assume your problem is because there is no traffic being sent and the IPSec SA times expired. If you don't wish to upgrade, you just need to continually generate interesting traffic, send a ping to a device on the other side of the VPN tunnel. You can use EEM or IP SLA or our Network Management System.

0 Helpful

Go to solution
Shao
Level 1
Level 1
In response to Rob Ingram

‎04-28-2023 07:50 AM

This is what I get when I ran sh crypto isakmp sa, and that to me it sounds like an empty tunnel...lol

IKEv2 SAs:

Session-id:132489, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
194732305 <my IP>/4500 <peer IP>/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/17117 sec

 

I asked the system co-owner to run a continuous PING from the box, and he is not sure if he is permitted to do so.

 

I am interested to learn about EEM, IP SLA or Network Management System.

 

Thank you,

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Shao

‎04-28-2023 07:53 AM - edited ‎04-28-2023 07:56 AM

 INITIATOR <<- this side is INITIATOR so only this side can start build child IKE SA, 
you need to make other side INITATOR. 
that it no need EEM or IP SLA 

Tunnel-id Local Remote Status Role
194732305 <my IP>/4500 <peer IP>/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/17117 sec

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎04-28-2023 05:36 AM

That interest Q'

Let start TS

Now what is your FW initiator or response only ? 

0 Helpful

Go to solution
Shao
Level 1
Level 1
In response to MHM Cisco World

‎04-28-2023 07:54 AM

Talked with the application owner. Sounds like we are the responders.

The vendor runs the SQL connections to grab our data.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Shao

‎04-28-2023 07:55 AM

 NO your FW is initiator as you share  above

Go to solution
Shao
Level 1
Level 1
In response to MHM Cisco World

‎04-28-2023 10:05 AM

Checked with the vendor side and they are set as INITIATOR.

How do I flip my end from INITIATOR to the RESPONDER role?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Shao

‎04-28-2023 10:08 AM

@Shao if the VPN has already been working, it is likely your device is configured as bidirectional (meaning you can either be initator or responder) - this setting is default.

If the vendor is downloading from your server, get them to probe your server using a ping from their system. That will ensure the tunnel stays up.

0 Helpful

Go to solution
Shao
Level 1
Level 1
In response to Shao

‎04-28-2023 10:12 AM

I believe I found the answer. Changed from Bidirectional to Answer-Only for the Connection Type.

Go to solution
Rob Ingram
VIP
VIP
In response to Shao

‎04-28-2023 10:15 AM

@Shao that means you cannot establish the tunnel if it is down (as you said you did in the first post), the peer must initiate the tunnel. That might suffice for normal operation, but won't help keep the tunnel up.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Shao

‎04-28-2023 10:23 AM - edited ‎04-28-2023 10:27 AM

Please check my above comment.

Thanks 

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Shao

‎04-28-2023 10:26 AM

Sorry if other side change to be initiator 

Then no need any change from your side

Just keep the vpn status.

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents