New Member

Solved

Cannot ping interface IP from AWS VPN

Forum|Forum|1 year ago
December 4, 2024
7 replies
3790 views

Hi, all.

I cannot ping a local interface IP on the Fortigate from a AWS host, connected through a VPN tunnel. I can ping the interface using a dial-up (FortiClient). It goes like this:

From PC connected through FortiClient (IP is 10.10.1.2):

Pinging 192.168.4.1 with 32 bytes of data:
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255

From linux host in AWS:

PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
(zzzzz)
--- 192.168.4.1 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21481ms

To a host on the interface subnet, from linux host in AWS:

PING 192.168.4.13 (192.168.4.13) 56(84) bytes of data.
64 bytes from 192.168.4.13: icmp_seq=1 ttl=127 time=21.1 ms
64 bytes from 192.168.4.13: icmp_seq=2 ttl=127 time=21.2 ms

On the Fortigate, a trace shows

Packet Trace #2004,2024/12/04 08:57:54,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=3." Packet Trace #2004,2024/12/04 08:57:54,"Find an existing session, id-232fd712, original direction" Packet Trace #2005,2024/12/04 08:57:55,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=4." Packet Trace #2005,2024/12/04 08:57:55,"Find an existing session, id-232fd712, original direction" Packet Trace #2006,2024/12/04 08:57:56,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=5." Packet Trace #2006,2024/12/04 08:57:56,"Find an existing session, id-232fd712, original direction" Packet Trace #2007,2024/12/04 08:57:57,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=6." Packet Trace #2007,2024/12/04 08:57:57,"Find an existing session, id-232fd712, original direction"

And the interface configuration:

edit "lan"   set vdom "root"   set ip 192.168.4.1 255.255.255.0   set allowaccess ping https ssh snmp fabric   set alias "office lan"   set device-identification enable   set role lan   set snmp-index 11   set interface "fortilink"   set vlanid 2000 next

Any tips on why it doesn't work from the AWS VPN-tunnel?

Cheers,

Chocolate Eater

FortiGate

Best answer by sjoshi

yes your link monitor is in dead state that is why the route is in active

please remove the link monitor for now and the route should be active and check the communication

sjoshi

Staff

Hi,

Can you take the pcap on the FGT

diag sniff packet any 'host x.x.x.x and icmp' 4 0 l >> where x.x.x.x is the dst IP

Thanks, Salon

AEK

SuperUser

Can you show the log from the first packet (the one you shared is starting from the 3rd).

Also have you created a policy to allow ping from SSL-VPN tunnel to lan interface?

AEK

dingjerry_FTNT

Staff

Hi @chocolateeater ,

1) Please make sure that there is one firewall policy allowing Ping traffic from vpn-0d40f99b interface to lan interface.

2) Please make sure that there is no trusted host configured with your admin accounts.

dingjerry_FTNT

Staff

Also, please collect the outputs with the following commands:

diag sys session filter proto 1

diag sys session filter dst 192.168.4.1

diag sys session list

It's better also attach your FGT config.

chocolateeaterAuthor

New Member

Hi, all.

Funny thing. When I ran pcap suggested by @sjoshi, after 8-10 seconds suddenly it worked. I did nothing. Then I left to handle some other stuff, and when I came back it didn't work, again. That got me thinking about NP offloading or asymmetric routing issues, but I haven't been able to confirm this.

The interface IP is now 192.168.40.1 (tried quite a few things), and there is a new host in AWS (172.31.40.192). Sorry I can't drop the complete config here, for security reasons.

Here is a new capture, based on the suggestions:

FG-101F # diag sniff packet any 'host 192.168.40.1 and icmp' 4 0 1 interfaces=[any] filters=[host 192.168.40.1 and icmp] 2.975748 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request 7.975738 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request 12.975803 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request 17.976778 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request 22.976357 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request ^C 5 packets received by filter 0 packets dropped by kernel  FG-101F # diag sys session filter proto 1  FG-101F # diag sys session filter dst 192.168.40.1  FG-101F # diag sys session list  session info: proto=1 proto_state=00 duration=37698 expire=58 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/18.193.132.248 vlan_cos=0/0 state=local may_dirty npu  statistic(bytes/packets/allow_err): org=497040/8284/1 reply=56820/947/1 tuples=2 tx speed(Bps/kbps): 13/0 rx speed(Bps/kbps): 1/0 orgin->sink: org pre->in, reply out->post dev=77->36/36->78 gwy=192.168.40.1/0.0.0.0 hook=pre dir=org act=noop 172.31.40.192:1->192.168.40.1:8(0.0.0.0:0) hook=post dir=reply act=noop 192.168.40.1:1->172.31.40.192:0(0.0.0.0:0) misc=0 policy_id=53 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0 serial=000057c8 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id=00000000 ngfwid=n/a npu_state=0x000001 no_offload npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason:  local disabled-by-policy total session 1  FG-101F # diag sniff packet any 'host 172.31.40.192 and icmp' 4 0 1 interfaces=[any] filters=[host 172.31.40.192 and icmp] 3.714953 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request 8.711020 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request 10.301561 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.13: icmp: echo request 10.301644 lan out 172.31.40.192 -> 192.168.40.13: icmp: echo request 10.301648 fortilink out 172.31.40.192 -> 192.168.40.13: icmp: echo request 10.301653 x2 out 172.31.40.192 -> 192.168.40.13: icmp: echo request 10.301761 lan in 192.168.40.13 -> 172.31.40.192: icmp: echo reply 10.301790 vpn-0d40f99b-2 out 192.168.40.13 -> 172.31.40.192: icmp: echo reply 13.710008 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request ^C 9 packets received by filter 0 packets dropped by kernel  FG-101F # show firewall policy 53 config firewall policy     edit 53         set name "aws to office lan"         set uuid 813dbc08-842a-51ef-e803-b022fa3ef30e         set srcintf "vpn-0d40f99b"         set dstintf "lan"         set action accept         set srcaddr "AWS"         set dstaddr "lan address"         set schedule "always"         set service "ALL"         set logtraffic all         set capture-packet enable         set auto-asic-offload disable     next end  FG-101F # show firewall policy 59 config firewall policy     edit 59         set name "aws 2 to lan"         set uuid 872e1386-842c-51ef-2e34-67700f53b3ed         set srcintf "vpn-0d40f99b-2"         set dstintf "lan"         set action accept         set srcaddr "AWS"         set dstaddr "lan address"         set schedule "always"         set service "ALL"         set logtraffic all         set capture-packet enable         set auto-asic-offload disable     next end

I have discovered something strange (maybe), though. There is a mismatch in the static routes in the GUI and CLI (have removed routes not relevant, here):

FG-101F # get router info routing-table static Routing table for VRF=0 S*      0.0.0.0/0 [10/0] via 195.159.198.177, wan1, [1/0] S       169.254.87.188/30 [5/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0] S       169.254.91.32/30 [5/0] via vpn-0d40f99b tunnel 18.193.132.248, [1/0] S       172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]

sjoshi

Staff

reg the routing table output.

share below output

get router info routing-table all

get router info routing-table database

Thanks, Salon

chocolateeaterAuthor

New Member

Hi, @sjoshi.

I have changed interface IP to 192.168.40.1. So that is the correct IP.

Here is the full output:

FG-101F # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        V - BGP VPNv4        * - candidate default  Routing table for VRF=0 S*      0.0.0.0/0 [10/0] via 195.159.198.177, wan1, [1/0] C       10.10.1.0/24 is directly connected, guest_wlan S       10.10.1.2/32 [15/0] via VPN tunnel 10.10.1.2, [1/0] S       10.10.1.3/32 [15/0] via VPN tunnel 10.10.1.3, [1/0] S       10.10.10.0/24 [10/0] via Intro SD tunnel 193.71.92.26, [1/0] C       10.253.240.0/20 is directly connected, wqt.root C       10.255.11.0/24 is directly connected, quarantine C       10.255.12.0/24 is directly connected, rspan C       10.255.13.0/24 is directly connected, nac_segment C       169.254.1.0/24 is directly connected, fortilink C       169.254.2.1/32 is directly connected, VPN C       169.254.2.15/32 is directly connected, SW to FG S       169.254.87.188/30 [5/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0] C       169.254.87.190/32 is directly connected, vpn-0d40f99b-2 S       169.254.91.32/30 [5/0] via vpn-0d40f99b tunnel 18.193.132.248, [1/0] C       169.254.91.34/32 is directly connected, vpn-0d40f99b C       172.18.0.0/21 is directly connected, intro_guest_w S       172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0] C       192.168.19.0/24 is directly connected, port12 C       192.168.22.0/24 is directly connected, port7 C       192.168.24.0/24 is directly connected, port6 C       192.168.25.0/24 is directly connected, teknisk lan C       192.168.28.0/24 is directly connected, port9 C       192.168.31.0/24 is directly connected, port2 C       192.168.40.0/24 is directly connected, lan C       192.168.41.0/24 is directly connected, wlan ap C       192.168.50.0/24 is directly connected, wifi lan C       192.168.55.0/24 is directly connected, guest_b C       192.168.60.0/28 is directly connected, intro_info C       192.168.62.0/29 is directly connected, intro_klang C       192.168.63.0/29 is directly connected, intro_present C       192.168.98.0/24 is directly connected, intro_ph_access  FG-101F # get router info routing-table database Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP        O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        V - BGP VPNv4        > - selected route, * - FIB route, p - stale info  Routing table for VRF=0 S    *> 0.0.0.0/0 [10/0] via 195.159.198.177, wan1, [1/0] C    *> 10.10.1.0/24 is directly connected, guest_wlan S       10.10.1.0/24 [10/0] is directly connected, VPN, [1/0] S    *> 10.10.1.2/32 [15/0] via VPN tunnel 10.10.1.2, [1/0] S    *> 10.10.1.3/32 [15/0] via VPN tunnel 10.10.1.3, [1/0] S    *> 10.10.10.0/24 [10/0] via Intro SD tunnel 193.71.92.26, [1/0] C    *> 10.253.240.0/20 is directly connected, wqt.root C    *> 10.255.11.0/24 is directly connected, quarantine C    *> 10.255.12.0/24 is directly connected, rspan C    *> 10.255.13.0/24 is directly connected, nac_segment C    *> 169.254.1.0/24 is directly connected, fortilink C    *> 169.254.2.1/32 is directly connected, VPN C    *> 169.254.2.15/32 is directly connected, SW to FG S    *> 169.254.87.188/30 [5/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0] C    *> 169.254.87.190/32 is directly connected, vpn-0d40f99b-2 S    *> 169.254.91.32/30 [5/0] via vpn-0d40f99b tunnel 18.193.132.248, [1/0] C    *> 169.254.91.34/32 is directly connected, vpn-0d40f99b C    *> 172.18.0.0/21 is directly connected, intro_guest_w S       172.31.0.0/16 [10/0] via vpn-0d40f99b tunnel 18.193.132.248 inactive, [1/0] S    *> 172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0] C    *> 192.168.19.0/24 is directly connected, port12 C    *> 192.168.22.0/24 is directly connected, port7 C    *> 192.168.24.0/24 is directly connected, port6 C    *> 192.168.25.0/24 is directly connected, teknisk lan C    *> 192.168.28.0/24 is directly connected, port9 C    *> 192.168.31.0/24 is directly connected, port2 S       192.168.40.0/24 [10/0] is directly connected, l2t.root, [1/0] C    *> 192.168.40.0/24 is directly connected, lan C    *> 192.168.41.0/24 is directly connected, wlan ap C    *> 192.168.50.0/24 is directly connected, wifi lan C    *> 192.168.55.0/24 is directly connected, guest_b C    *> 192.168.60.0/28 is directly connected, intro_info

Why is this one inactive...? In the GUI it is not. Normal?

172.31.0.0/16 [10/0] via vpn-0d40f99b tunnel 18.193.132.248 inactive, [1/0]

sjoshi

Staff

I can see from the remote side AWS the traffic is being received on the TNL vpn-0d40f99b but on the FGT side you have route via vpn-0d40f99b-2 .. in that case RFP check will fail and it will drop the packet
S *> 172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]

Soln:-
Make the host behind AWS to sent traffic via 2nd IPSEC TNL that makes FGT to receive the traffic on via vpn-0d40f99b-2

Now why 172.31.0.0/16 [10/0] via vpn-0d40f99b tunnel 18.193.132.248 inactive, [1/0] is in activeFor this I need few more answer.

Is it part of sdwan?
Have you setup link monitor
config system link-monitor
show

Can you confirm the IPSEC TNL for vpn-0d40f99b is up?
diagnose vpn ike gateway list name vpn-0d40f99b

Thanks, Salon

chocolateeaterAuthor

New Member

Hi, @sjoshi .

Not using SD WAN. Not sure if I can direct traffic to a particular tunnel in AWS, but will look into it. Link monitor is in use, which is why it doesn't work to bring tunnel 2 down, it just goes back up.

Here is the output:

FG-101F (link-monitor) # show config system link-monitor     edit "awsmon"         set srcintf "vpn-0d40f99b"         set server "169.254.87.189"         set interval 2000         set recoverytime 2     next end  FG-101F # diagnose vpn ike gateway list  (...) vd: root/0 name: vpn-0d40f99b version: 1 interface: wan1 7 addr: 195.159.198.179:4500 -> 18.193.132.248:4500 tun_id: 18.193.132.248/::18.193.132.248 remote_location: 0.0.0.0 network-id: 0 virtual-interface-addr: 169.254.91.34 -> 169.254.91.33 created: 673s ago peer-id: 18.193.132.248 peer-id-auth: no nat: peer IKE SA: created 1/1  established 1/1  time 70/70/70 ms IPsec SA: created 1/1  established 1/1  time 110/110/110 ms    id/spi: 60 6aae36d77afa1460/36d8f791bc7116d6   direction: initiator   status: established 673-673s ago = 70ms   proposal: aes128-sha1   key: 7fe3cff0abdbaaa7-08161b3d67bfa247   lifetime/rekey: 28800/27826   DPD sent/recv: 00000000/4522f231   peer-id: 18.193.132.248

sjoshi

Staff

Can you share below command:-

diagnose sys link-monitor status

Seems your link monitor from tnl vpn-0d40f99b is down that is causing the issue

Thanks, Salon

chocolateeaterAuthor

New Member

FG-101F # diagnose sys link-monitor status  Link Monitor: awsmon, Status: dead, Server num(1), HA state: local(dead), shared(dead) Flags=0x9 init log_downgateway, Create time: Wed Dec  4 22:32:44 2024 Source interface: vpn-0d40f99b (77) VRF: 0 Interval: 2000 ms Service-detect: disable Diffservcode: 000000 Class-ID: 0   Peer: 169.254.87.189(169.254.87.189)          Source IP(169.254.91.34)         Route: 169.254.91.34->169.254.87.189/32, gwy(18.193.132.248)         protocol: ping, state: dead                 Packet lost: 100.000%                 MOS: 4.350                 Number of out-of-sequence packets: 0                 Recovery times(0/2) Fail Times(2/5)                 Packet sent: 25367, received: 0, Sequence(sent/rcvd/exp): 25368/0/0

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded