Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
0
Replies

Problem with packet drop on site-to-site VPN

ABaker94985
Spotlight
Spotlight

‎11-14-2022 11:45 AM

Our firewalls include a Firepower 2140 and FMCv both running 7.0.1. 

We are in the process of migrating traffic to a new edge network. The old one has a /27 public IP space, so no BGP  and no redundancy. We've configured policy based routing, so that we can more easily control what traffic is being routed out to the Internet. 

During the initial traffic, we went through every scenario that's applicable to us, and that including site-to-site VPN tunnels. That worked initially, and we've tested every scenario application to our organization. The configuration has been finalized for everything outside the firewall, so we're trying to move production traffic to the new edge. Last week, we attempted to move site-to-site VPN tunnels over twice - essentially, at the branch location we change the VPN peer and create a new tunnel-group for the new peer. Easy enough. On the host side, we change which interface is sourcing the tunnel and modify the outside interface of the NAT statements. We shouldn't have to do anything with PBR as the routes are showing up at the new interface once the VPN tunnel comes up.

Once the tunnel comes up, we see bidirectional traffic at the remote site, but we never see the return traffic from or traffic sourced at the branch site on the host site firewall. When packet-tracer runs, everything looks good including the source and destination NATs. We do filter VPN tunnels, but we have an identical ACP policy on the new outside interface that matches that is on the old outside interface. I've create a capture for every asp type that shows packets dropping on both the branch and host firewalls, and not a single one of these has the VPN tunnel traffic. For traffic sourced from the branch office, I've looked in the connection event table, and there is nothing. I'm not sure exactly where to look next. The packets just seem to disappear. We have rebooted the branch firewall after the change and cleared out connection and translation tables.

I did attempt to add the networks at the host side to the extended ACL used for PBR, but that didn't help. 

Does anyone have an idea of where we can look? I'm puzzled.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents