cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
4
Replies

Zscaler to FTD IPsec Tunnel issue

balahcl123
Level 1
Level 1

HI Team,

Zscaler cloud and Cisco FTD (7.2.2) are connected via an IPsec connection. Establishing an IPSec tunnel with Phase 1 and Phase 2.

We test the communication; data is sent to the tunnel and received by Zscaler as well. Zscaler was unable to view the response when it was sent to the Cisco FTD end.

It was evident that encryption and decryption were taking place. although the traffic is invisible to us.

> show vpn-sessiondb detail l2l filter ipaddress 147.161.160.51

Session Type: LAN-to-LAN Detailed

Connection : 147.161.160.51
Index : 678822 IP Addr : 147.161.160.51
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (1)AES-GCM-256
Hashing : IKEv2: (1)SHA256 IPsec: (1)none
Bytes Tx : 744258 Bytes Rx : 1661052
Login Time : 13:09:43 UTC Thu Feb 15 2024
Duration : 0h:22m:35s
Tunnel Zone : 0

IKEv2 Tunnels: 1
IPsec Tunnels: 1

IKEv2:
Tunnel ID : 678822.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA256
Rekey Int (T): 28800 Seconds Rekey Left(T): 27447 Seconds
PRF : SHA256 D/H Group : 14
Filter Name :

IPsec:
Tunnel ID : 678822.2
Local Addr : 172.30.132.143/255.255.255.255/0/0
Remote Addr : 0.0.0.0/0.0.0.0/0/0
Encryption : AES-GCM-256 Hashing : none
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 27447 Seconds
Rekey Int (D): 36864000 K-Bytes Rekey Left(D): 36862378 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 744258 Bytes Rx : 1661052
Pkts Tx : 5914 Pkts Rx : 11698

 

 

 

4 Replies 4

did you config NO-NAT in FTD ?
MHM

Yes. No NAT been configured. 

 

Remote Addr : 0.0.0.0/0.0.0.0/0/0 <<- why the remote address is 0.0.0.0 ?
what is type of VPN you config ?
it seem to me that you config policy based and Peer config router based VPN 
can you check with them 
MHM

balaji.bandi
Hall of Fame
Hall of Fame

can you post the output :

#show crypto ipsec sa

#show crypto ipsec stats

Also worth enable debug and check.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help