Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2263
Views
3
Helpful
27
Replies

Site to site VPN Cisco FMC

Sharath Rajan
Level 1
Level 1

‎03-08-2023 04:26 AM

Dears Please help 

 

I am facing site to site VPN With SonicWALL    this error is getting while I initiate the tunnel .  

FMC 7.0   and FTD 7.0 

 

Phase: 30
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: INSIDE_LAN(vrfid:0)
input-status: up
input-line-status: up
output-interface: OUTSIDE_ISP(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056441a7fc874 flow (need-ike)/snp_sp_action_cb:1577   

Labels:
0 Helpful
27 Replies 27

Rob Ingram
VIP
VIP

‎03-08-2023 04:40 AM

@Sharath Rajan Drop-reason: (acl-drop) Flow is denied by configured rule

Check your ACL, provide the full output of packet-tracer if you want further assistance.

0 Helpful

Sharath Rajan
Level 1
Level 1
In response to Rob Ingram

‎03-08-2023 04:44 AM

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 172.19.3.64 using egress ifc OUTSIDE_ISP(vrfid:0)

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE_LAN,OUTSIDE_ISP) after-auto source static HQ-LANET HQ-LANET destination static SONIC-GAIA SONIC-GAIA no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE_ISP(vrfid:0)
Untranslate 172.19.3.64/0 to 172.19.3.64/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE_LAN object HQ-LANET ifc OUTSIDE_ISP any4 rule-id 268436485
access-list CSM_FW_ACL_ remark rule-id 268436485: ACCESS POLICY: GRP-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436485: L7 RULE: LAN-to-WAN
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE_LAN,OUTSIDE_ISP) after-auto source static HQ-LANET HQ-LANET destination static SONIC-GAIA SONIC-GAIA no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.73.36/0 to 192.168.73.36/0

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE_LAN object HQ-LANET ifc OUTSIDE_ISP any4 rule-id 268436485
access-list CSM_FW_ACL_ remark rule-id 268436485: ACCESS POLICY: GRP-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436485: L7 RULE: LAN-to-WAN
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 9
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE_LAN,OUTSIDE_ISP) after-auto source static HQ-LANET HQ-LANET destination static SONIC-GAIA SONIC-GAIA no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.73.36/0 to 192.168.73.36/0

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE_LAN object HQ-LANET ifc OUTSIDE_ISP any4 rule-id 268436485
access-list CSM_FW_ACL_ remark rule-id 268436485: ACCESS POLICY: GRP-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436485: L7 RULE: LAN-to-WAN
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 14
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 15
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE_LAN,OUTSIDE_ISP) after-auto source static HQ-LANET HQ-LANET destination static SONIC-GAIA SONIC-GAIA no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.73.36/0 to 192.168.73.36/0

Phase: 16
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 17
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 18
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE_LAN object HQ-LANET ifc OUTSIDE_ISP any4 rule-id 268436485
access-list CSM_FW_ACL_ remark rule-id 268436485: ACCESS POLICY: GRP-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436485: L7 RULE: LAN-to-WAN
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 19
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 20
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE_LAN,OUTSIDE_ISP) after-auto source static HQ-LANET HQ-LANET destination static SONIC-GAIA SONIC-GAIA no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.73.36/0 to 192.168.73.36/0

Phase: 21
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 22
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 23
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE_LAN object HQ-LANET ifc OUTSIDE_ISP any4 rule-id 268436485
access-list CSM_FW_ACL_ remark rule-id 268436485: ACCESS POLICY: GRP-Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268436485: L7 RULE: LAN-to-WAN
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 24
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 25
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE_LAN,OUTSIDE_ISP) after-auto source static HQ-LANET HQ-LANET destination static SONIC-GAIA SONIC-GAIA no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.73.36/0 to 192.168.73.36/0

Phase: 26
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 27
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 28
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 29
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 30
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: INSIDE_LAN(vrfid:0)
input-status: up
input-line-status: up
output-interface: OUTSIDE_ISP(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056441a7fc874 flow (need-ike)/snp_sp_action_cb:1577

>
>

0 Helpful

MHM Cisco World
VIP
VIP

‎03-08-2023 04:41 AM

check this point 
the ACL you use for S2S must mirror in both side not same 
you must add allow from out-zone to in-zone for VPN in FTD 

0 Helpful

Sharath Rajan
Level 1
Level 1
In response to MHM Cisco World

‎03-08-2023 04:45 AM

Hello I am using FMC -ACP has been created the same policy is working with other SonicWALL 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Sharath Rajan

‎03-08-2023 04:47 AM

same policy !!
you need here I think hub-spoke not S2S since same hub LAN  (FTD lan)  access from two or more Spoke.

0 Helpful

Sharath Rajan
Level 1
Level 1
In response to MHM Cisco World

‎03-08-2023 04:58 AM

Hi 

Kindly note other VPNs are running point to point 

1. FTD/FMC -SonicWALL is  VPN UP -Point to Point 

2.FTD/FMC -Sophos   is VPN UP -Point to Point 

 

facing issue one more Sonicwall and Meraki   tunnel not UP   same configuration are keeping as per recommended in Cisco Docs 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Sharath Rajan

‎03-08-2023 05:02 AM

the issue is you use ACL permit LAN->any for both S2S 
and this make conflict. am I right ? 

0 Helpful

Sharath Rajan
Level 1
Level 1
In response to MHM Cisco World

‎03-08-2023 05:24 AM

Hi 

I dont know the rule is conflicting i am able to save I just checked conflict rule not showing anything 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Sharath Rajan

‎03-08-2023 05:02 AM

@Sharath Rajan have the IKE and IPSec SA been established? what is the output of "show crypto ipsec sa"?

If there are no SA's established you will need to enable IKE debugging to determine what the problem is.

0 Helpful

Sharath Rajan
Level 1
Level 1
In response to Rob Ingram

‎03-08-2023 05:23 AM

HI 

> show crypto ipsec sa
assigned-address detail entry identity inactive map peer spi summary user |
> show crypto ipsec sa
interface: OUTSIDE_ISP
Crypto map tag: CSM_OUTSIDE_ISP_map, seq num: 3, local addr: 94.200.209.174

access-list CSM_IPSEC_ACL_3 extended permit ip 192.168.73.0 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.73.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer: 5.195.124.236


#pkts encaps: 1867845, #pkts encrypt: 1867845, #pkts digest: 1867845
#pkts decaps: 1847098, #pkts decrypt: 1847098, #pkts verify: 1847098
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1867845, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 94.200.209.174/500, remote crypto endpt.: 5.195.124.236/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A4E03AA3
current inbound spi : 8E856215

inbound esp sas:
spi: 0x8E856215 (2391106069)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 88, crypto-map: CSM_OUTSIDE_ISP_map
sa timing: remaining key lifetime (kB/sec): (4145207/49273)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA4E03AA3 (2766158499)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 88, crypto-map: CSM_OUTSIDE_ISP_map
sa timing: remaining key lifetime (kB/sec): (4283418/49273)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: CSM_OUTSIDE_ISP_map, seq num: 2, local addr: 94.200.209.174

access-list CSM_IPSEC_ACL_4 extended permit ip 192.168.73.0 255.255.255.0 172.17.40.0 255.255.248.0
local ident (addr/mask/prot/port): (192.168.73.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.40.0/255.255.248.0/0/0)
current_peer: 41.223.51.58


#pkts encaps: 1430097, #pkts encrypt: 1430096, #pkts digest: 1430096
#pkts decaps: 1418589, #pkts decrypt: 1418589, #pkts verify: 1418589
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1430097, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 94.200.209.174/500, remote crypto endpt.: 41.223.51.58/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C0450E9D
current inbound spi : 8BAEF699

inbound esp sas:
spi: 0x8BAEF699 (2343499417)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 449, crypto-map: CSM_OUTSIDE_ISP_map
sa timing: remaining key lifetime (kB/sec): (4146728/83444)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC0450E9D (3225751197)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 449, crypto-map: CSM_OUTSIDE_ISP_map
sa timing: remaining key lifetime (kB/sec): (4100639/83444)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

>

 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Sharath Rajan

‎03-08-2023 05:35 AM - edited ‎03-08-2023 05:53 AM

check @Rob Ingram comment below

0 Helpful

Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎03-08-2023 05:39 AM

that's 2 different IPSec SA, with different selectors (interesting traffic) to 2 different peers, both tunnels appear to be working.

I imagine these are unrelated tunnels and the new tunnel has not been established. @Sharath Rajan needs to troubleshoot that by enabling IKE/IPSec debugs as requested.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎03-08-2023 05:42 AM

friend there is different between Seq and SA 
what I see he config two Seq for same crypto map 
to get more than one SA you can do by have multi ACL line, and both appear under same Seq. 

0 Helpful

Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎03-08-2023 05:47 AM

2 different peer IP addresses, 2 working tunnels due to hits on encaps|decaps. I deduce they are unrelated to the VPN being troubleshooted.

Crypto map tag: CSM_OUTSIDE_ISP_map, seq num: 3, local addr: 94.200.209.174

access-list CSM_IPSEC_ACL_3 extended permit ip 192.168.73.0 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.73.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer: 5.195.124.236

Crypto map tag: CSM_OUTSIDE_ISP_map, seq num: 2, local addr: 94.200.209.174

access-list CSM_IPSEC_ACL_4 extended permit ip 192.168.73.0 255.255.255.0 172.17.40.0 255.255.248.0
local ident (addr/mask/prot/port): (192.168.73.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.40.0/255.255.248.0/0/0)
current_peer: 41.223.51.58

Customers Also Viewed These Support Documents