Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1308
Views
0
Helpful
7
Replies

ROUTE Based VTI on FMC incoming traffic dropped

billystevenson24098
Level 1
Level 1

ā€Ž12-05-2020 08:15 AM

we have a number of Sonicwalls and fortigate at our other sites and also connections to Azure and we had been waiting on the route based availability for the FTD to be released to convert to using route based. Now it has we have done the upgrade and now looking to change the tunnels to route based. we attempted this to both a sonicwall and the fortigate and the all went well tunnel is up ACLs created and static route to the sites through the VTI interfaces all good except i can get traffic out to the other end and back but any traffic coming in seems to get dropped we can see this with the packet tracer have we missed anything as i say there is a route and a outgoing and incoming ACL. Also when we created the interfaces we created a new security zone for them  for the ACLs to applied against.

here is partial output

 

capture.PNG

Labels:
0 Helpful
7 Replies 7

Rob Ingram
VIP
VIP

ā€Ž12-05-2020 08:22 AM

Hi @billystevenson24098 

What did you configure in your Access Control Policies (ACP) for this VPN traffic?

0 Helpful

billystevenson24098
Level 1
Level 1
In response to Rob Ingram

ā€Ž12-05-2020 08:25 AM

HI Rob see screenshot was very basic to try and get this running ACL.PNG

0 Helpful

billystevenson24098
Level 1
Level 1
In response to billystevenson24098

ā€Ž12-05-2020 08:29 AM

the are disabled the now but when they were enabled we could get to ping to remote sites and get reply but any pings coming in timed out and we could see the traffic on the packet capture and it was getting dropped tried it with 2 SW and 1 fortigate to check the settings but all came back the same 

0 Helpful

Rob Ingram
VIP
VIP
In response to billystevenson24098

ā€Ž12-05-2020 08:48 AM

Right ok, so the packet-tracer screenshot is from when the ACP rules are disabled?

So the packets are dropped on your end? Is your ACP rules correct for the src/dst networks on traffic initiated from the remote end?

Provide the logs/packet capture of when the traffic is dropped.

Have you checked NAT on both ends?

 

 

 

0 Helpful

Rob Ingram
VIP
VIP

ā€Ž12-05-2020 08:29 AM

If those networks src/dst are correct and traffic is not hitting those rules and hitting the default deny, then those zones could be incorrect? which would explain why the traffic does not match those rules. Remove the src/dst zones temporarily.

 

Why do those rules say disabled, I assume they are enabled?

0 Helpful

billystevenson24098
Level 1
Level 1
In response to Rob Ingram

ā€Ž12-05-2020 08:46 AM

they were but that tunnel is now down as it was one of the testing ones so just disabled them will trying to find more info 

0 Helpful

billystevenson24098
Level 1
Level 1
In response to Rob Ingram

ā€Ž12-05-2020 08:51 AM

so set the zones as any - any 

0 Helpful
Customers Also Viewed These Support Documents