This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Creating VPN Tunnel with Cisco Firepower 41110

Posted on 02-20-2023 03:36 AM
edwin10
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Has anyone encounter issue while creating VPN tunnel connecting to Cisco Firepower 41110 model before ?

A static VPN tunnel was created by connecting custom VPC network to on-premise network with the following configuration. Based on the status on Cisco Firepower (as attached) , phase 1 has been establish but the second phase has received no packet at the interface (tx & rx)Screenshot 2023-02-20 at 7.34.03 PM.png

Phase 1:

1. Encryption & Integrity : AES-GCM-16-256

2. PRF - PRF-HMAC-SHA2-512
3. Diffie-Hellman (DH): modp_2048 (Group 14)
4.Lifetime: 36000 seconds

Phase 2:

1. Encryption & Integrity : AES-GCM-16-256

2. PFS: PRF-HMAC-SHA2-512

3.Diffie-Hellman (DH): modp_2048 (Group 14)
4.Lifetime: 36000 seconds

 

Logs from Cloud VPN indicate that it is unable establish CHILD_SA. Pointing the issue at establishing Phase 2. 

DEBUG 2023-02-20T11:34:22.515802858Z parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
DEBUG 2023-02-20T11:34:22.515822874Z received TS_UNACCEPTABLE notify, no CHILD_SA built
DEBUG 2023-02-20T11:34:22.515826928Z failed to establish CHILD_SA, keeping IKE_SA

Any advice ? 

Solved Solved
0 2 1,265
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @edwin10 ,

The screenshots that you shared seems to be low quality making it hard to see the details. 

Based from the configuration that you shared for Phase 1 and Phase 2, everything is correct except the lifetime value for Phase 2. Based from this documentation regarding Supported IKE ciphers and Google Cloud VPN Interop Guide, Phase 2 should have a lifetime of 10,800 seconds (3 hours).

 

You may want to check it as well with CISCO support if everything is configured properly on their devices and to check what causes the VPN tunnel to not establish.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @edwin10 ,

The screenshots that you shared seems to be low quality making it hard to see the details. 

Based from the configuration that you shared for Phase 1 and Phase 2, everything is correct except the lifetime value for Phase 2. Based from this documentation regarding Supported IKE ciphers and Google Cloud VPN Interop Guide, Phase 2 should have a lifetime of 10,800 seconds (3 hours).

 

You may want to check it as well with CISCO support if everything is configured properly on their devices and to check what causes the VPN tunnel to not establish.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
edwin10
Bronze 2
Bronze 2
In response to Marvin_Lucero
Reply posted on --/--/---- --:-- AM

Thanks Marvin. 

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all