Cisco FTD via FMC S2S VPN

shaikh.zaid22 · ‎01-30-2022

Hi,

I have configured a S2S VPN between our on-premise Cisco FTD via FMC ver 6.6, with the peer device in Azure cloud fortigate firewall.

i also have an existing VPN running fine between On-prem Cisco and Azure native Firewall (VNG).

After configuring the cisco fw, am only able to the existing Tunnel (Cisco-Az Fw ) state as ACTIVE.

There is no details showing for the new VPN i created between Cisco and fortigate in Azure.

I need to know what to check from Cisco FTD side whether the config is proper or not.

I tried a ping to the public ip of the fortigate fw and traceroute, but i do not see the Tunnel status for this new VPN config.

Need help.

UdupiKrishna · ‎01-30-2022

Few basic checks,

= Review Phase 1 and Phase 2 settings on both VPN peers.

= Since the fortigate firewall is on the cloud, ensure the cloud network is permitting IKE and IPSEC ports (inbound and outbound). UDP port 500, (4500 if there's NAT-T) and Port 50 (ESP, assuming thats being used)

= Ensure there are no overlapping VPN configuration that might be causing issues.

= Run packet tracer on FTD that includes the IP addresses that is part of this VPN and check the results.

= Initiate traffic from any device/network behind the FTD that is expected to go through this new VPN tunnel.

= Verify the tunnel status on FTD, if it isn't changing enable ike, ipsec debug. Initiate traffic again and follow through the logs.

shaikh.zaid22 · ‎01-30-2022

Thanks Krishna for the reply.

I will check whether the ports are allowed on Azure FGT side.

I will initiate the traffic.

Will update on this thread.

Thanks