Wednesday, February 14, 2018

Cisco not matching crypto ACL

Issue I'm seeing - crypto map based tunnel between Cisco IOS-XE device (controlled by me) and McAfee firewall (out of my control) is not passing traffic. Agreed on tunnel, built, Phase 1 & Phase 2 coming up properly. But traffic is coming through. To troubleshoot, used esp-null and now seeing more information regarding payload which puzzles me even more.

1) If traffic initiated from other side - I can see ESP packet arriving on the external interface with the correct outer & inner headers (tunnel mode), but it is not decrypted (no decaps) further by Cisco, so that's it. Incoming SA number is correct.

2) If traffic initiated from my side, it is encapsulated, sent properly, but no answer from the other side - that would be issue with configuration on the far end if not the first point.

If throwing tunnel endpoint on the other Cisco device, basically configuration stays the same, just the peer IP changes - it works flawlessly - traffic is encrypted & decrypted properly.

Just throw your ideas at me what could be wrong here or how to troubleshoot, even better if there's someone who knows McAfee firewalls, as I have clue at all what to expect from them. I've checked a lot of things, just don't want to make this overwhelmingly long and detailed, just what would you do in such a case?

P.S There are a bunch of working tunnels on Cisco side and, so they say, on the other side as well.



No comments:

Post a Comment