Skip to main content
ssanga
Staff & Editor
ssanga
Staff & Editor
November 25, 2024

Technical Tip: IKE-SAML Reply Traffic Egresses through a Different Interface than the Original Incoming interface

  • November 25, 2024
  • 0 replies
  • 303 views
Description This article addresses an issue where reply traffic for IKE-SAML connections egresses through a different interface, leading to intermittent IKE-SAML VPN connectivity problems.
Scope FortiGate v7.4.3, v7.4.4.
Solution

Intermittent connectivity issues may occur for IKE-SAML VPN users, where the reply traffic is sent through a different interface than the one originally used for incoming traffic.

Packet sniffers indicate that the FortiGate device does respond to client-initiated traffic and the response is routed through a different interface than the one on which the traffic was received. As a result, the reply traffic does not reach the user's machine.

The problem can be verified by examining the logs as outlined below.

 

get router info routing-table details
S* 0.0.0.0/0 [1/0] via 172.17.69.2, port5, [1/0]
             [1/0] via 172.17.85.2, port2, [1/0]

diagnose ip address list
IP=172.17.69.1->172.17.69.1/255.255.255.0 index=7 devname=port5
IP=172.17.85.1->172.17.85.1/255.255.255.0 index=4 devname=port2

diagnose sniffer packet any "host 10.21.11.254" 4 0 l
filters=[port 444]
2024-07-02 09:19:49.544630 port2 in 10.21.11.254.54252 -> 172.17.85.1.444: syn 1071979966
2024-07-02 09:19:49.544844 port5 out 172.17.85.1.444 -> 10.21.11.254.54252: syn 1508926204 ack 1071979967
2024-07-02 09:19:49.544988 port2 in 10.21.11.254.54253 -> 172.17.85.1.444: syn 4256357852
2024-07-02 09:19:49.545314 port5 out 172.17.85.1.444 -> 10.21.11.254.54253: syn 712095129 ack 4256357853

diag sys session list
session info: proto=6 proto_state=03 duration=2 expire=9 timeout=3600 refresh_dir=both flags=00000000 socktype=4 sockport=10501 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/0
state=local may_dirty
statistic(bytes/packets/allow_err): org=104/2/1 reply=156/3/1 tuples=2
tx speed(Bps/kbps): 45/0 rx speed(Bps/kbps): 68/0
orgin->sink: org pre->in, reply out->post dev=4->10/10->7 gwy=0.0.0.0/0.0.0.0 <-- Port2 -> root / root-> Port5.
hook=pre dir=org act=noop 10.21.11.254:54366->172.17.85.1:444(0.0.0.0:0)
hook=post dir=reply act=noop 172.17.85.1:444->10.21.11.254:54366(0.0.0.0:0)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=4294967295 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0


This issue has been resolved in FortiOS versions 7.4.5, and 7.6.0.

 

Logs required by FortiGate TAC for investigation.

 

  1. Sniffers and Session list outputs:

    diagnose sniffer packet any "host <source IP>" 4 0 l
    diagnose sys session list

  2. TAC Report:

    execute tac report

  3. Configuration file of the FortiGate.
    Terms & ConditionsAccessibility statement