Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
949
Views
0
Helpful
0
Replies

vpn-overlap-conflict : issue with site to site VPN tunnel

loc.nguyen
Level 1
Level 1

‎12-05-2022 08:21 PM

Hi,

We have a site to site VPN tunnel between a Cisco FTD (ABC) and a Checkpoint firewall (dataWarehouse). 

Both sides have the configuration match as the below:

crypto map CSM_outside_map 11 match address CSM_IPSEC_ACL_13
crypto map CSM_outside_map 11 set pfs
crypto map CSM_outside_map 11 set connection-type answer-only
crypto map CSM_outside_map 11 set peer 20.x.x.x
crypto map CSM_outside_map 11 set ikev2 ipsec-proposal CSM_IP_1
crypto map CSM_outside_map 11 set security-association lifetime seconds 1200
crypto map CSM_outside_map 11 set security-association lifetime kilobytes unlimited
crypto map CSM_outside_map 11 set reverse-route


access-list CSM_IPSEC_ACL_13 extended permit ip 10.200.0.0 255.255.255.0 10.184.1.128 255.255.255.192

nat (connect_PA,outside) source static ABC_PRE_NAT ABC_NAT destination static dataWarehouse-net dataWarehouse-net no-proxy-arp

object network dataWarehouse-net
subnet 10.184.1.128 255.255.255.192


object network ABC_NAT
range 10.200.0.1 10.200.0.155


object-group network ABC_PRE_NAT
network-object object ABC-dw1-10.0.30.2
network-object object ABC-dw2-10.0.30.201
....
network-object object ABC-dw155-10.1.6.201

The tunnel runs well for a few hours then have an issue. The cisco Firewall dropped the packets as below:

ctrma-ftd-1# show cap drop
Target: MIPS
Hardware: FPR-2110
Cisco Adaptive Security Appliance Software Version 9.14(3)22
ASLR enabled, text region aaae698000-aab31a7704

2712 packets captured

1: 19:23:52.484746 10.184.1.144 > 10.200.0.149 icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab061a784 flow (vpn-overlap-conflict)/snp_sp_action_cb:1707

2: 19:23:53.508671 10.184.1.144 > 10.200.0.149 icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab061a784 flow (vpn-overlap-conflict)/snp_sp_action_cb:1707

3: 19:23:54.532809 10.184.1.144 > 10.200.0.149 icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab061a784 flow (vpn-overlap-conflict)/snp_sp_action_cb:1707

The VPN status when we have issue is as below:


ctrma-ftd-1# show crypto ipsec sa peer 20.186.184.93 | i ident|encap|decap
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 1334, #pkts encrypt: 1334, #pkts digest: 1334
#pkts decaps: 1334, #pkts decrypt: 1334, #pkts verify: 1334
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.192/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 482, #pkts decrypt: 482, #pkts verify: 482
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

Could you suggest where I look into?

If you need more information/logs, pls let me know.

Thanks

Loc

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents