Showing results for 
Search instead for 
Did you mean: 

Problem with packet drop on site-to-site VPN


Our firewalls include a Firepower 2140 and FMCv both running 7.0.1. 

We are in the process of migrating traffic to a new edge network. The old one has a /27 public IP space, so no BGP  and no redundancy. We've configured policy based routing, so that we can more easily control what traffic is being routed out to the Internet. 

During the initial traffic, we went through every scenario that's applicable to us, and that including site-to-site VPN tunnels. That worked initially, and we've tested every scenario application to our organization. The configuration has been finalized for everything outside the firewall, so we're trying to move production traffic to the new edge. Last week, we attempted to move site-to-site VPN tunnels over twice - essentially, at the branch location we change the VPN peer and create a new tunnel-group for the new peer. Easy enough. On the host side, we change which interface is sourcing the tunnel and modify the outside interface of the NAT statements. We shouldn't have to do anything with PBR as the routes are showing up at the new interface once the VPN tunnel comes up.

Once the tunnel comes up, we see bidirectional traffic at the remote site, but we never see the return traffic from or traffic sourced at the branch site on the host site firewall. When packet-tracer runs, everything looks good including the source and destination NATs. We do filter VPN tunnels, but we have an identical ACP policy on the new outside interface that matches that is on the old outside interface. I've create a capture for every asp type that shows packets dropping on both the branch and host firewalls, and not a single one of these has the VPN tunnel traffic. For traffic sourced from the branch office, I've looked in the connection event table, and there is nothing. I'm not sure exactly where to look next. The packets just seem to disappear. We have rebooted the branch firewall after the change and cleared out connection and translation tables.

I did attempt to add the networks at the host side to the extended ACL used for PBR, but that didn't help. 

Does anyone have an idea of where we can look? I'm puzzled.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: