01-30-2022 10:31 PM
Hi,
I have configured a S2S VPN between our on-premise Cisco FTD via FMC ver 6.6, with the peer device in Azure cloud fortigate firewall.
i also have an existing VPN running fine between On-prem Cisco and Azure native Firewall (VNG).
After configuring the cisco fw, am only able to the existing Tunnel (Cisco-Az Fw ) state as ACTIVE.
There is no details showing for the new VPN i created between Cisco and fortigate in Azure.
I need to know what to check from Cisco FTD side whether the config is proper or not.
I tried a ping to the public ip of the fortigate fw and traceroute, but i do not see the Tunnel status for this new VPN config.
Need help.
01-30-2022 10:45 PM
Few basic checks,
= Review Phase 1 and Phase 2 settings on both VPN peers.
= Since the fortigate firewall is on the cloud, ensure the cloud network is permitting IKE and IPSEC ports (inbound and outbound). UDP port 500, (4500 if there's NAT-T) and Port 50 (ESP, assuming thats being used)
= Ensure there are no overlapping VPN configuration that might be causing issues.
= Run packet tracer on FTD that includes the IP addresses that is part of this VPN and check the results.
= Initiate traffic from any device/network behind the FTD that is expected to go through this new VPN tunnel.
= Verify the tunnel status on FTD, if it isn't changing enable ike, ipsec debug. Initiate traffic again and follow through the logs.
01-30-2022 11:37 PM
Thanks Krishna for the reply.
I will check whether the ports are allowed on Azure FGT side.
I will initiate the traffic.
Will update on this thread.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide