Skip to main content
mstoy
mstoy
New Member
August 28, 2022
Question

Fortigate IPSEC Site-to-Site drop incoming packet

  • August 28, 2022
  • 1 reply
  • 3972 views

Hello everybody! Sorry for my english. I have 2 FG-100E. First - 7.04 firmware, second - 7.2.1. Each has a separate ISP and IPSEC VPN tunnel with the client. BGP is configured with the client via VTI on each FG-100. IPsec is terminated on loopback interfaces. When the tunnel down on the first FG-100, the traffic is switched via BGP to another FG-100 via another ISP.

I use asymmetric routing to save the application session when switching between FG-100. 

The problem is that when traffic switches to second fortigate, AСK packets from the client are dropped. I don't watch them with a sniffer. BUT outgoing packets via tunnel reach the client.  If the client re-create the session and sends SYN, then it starts working normally аnd I'm watching the incoming packets with a sniffer.

What was done:
1. Decrease the MTU on the tunnel and applied "set honor-df disable"

2. "set npu-offload disable" on phase 1
3. "set replay disable" on phase2
4. diagnose debug vpn tunnel list show encr/decr packet

5. "set anti-replay disable"

The client claims to send packets and the same problem exists with other clients. 

The routing problem is excluded, because as soon as the client sends the SYN, I immediately see the packets and then everything works without loss.

Any idea what the problem is? Thanks

1 reply

tthrilok
Staff
tthrilok
Staff
August 29, 2022

Hi Mstoy,

 

Thank you for the query!

 

In this scenario, I understand your session was initiated from the first firewall, and if first firewall goes down, the session is expected to continue with second firewall. 

 

If that is the case, it is expected that firewall do not allow the session traffic which was established with other firewall, because the second firewall will not have an idea what are the sessions established with other firewall. 

 

Now when you establish the new session with second firewall, it will work fine, because the second firewall knows with what session the traffic needs to match.

 

Let us know if our understanding is wrong, if so, we would request you to please attach a topology of your network with client.

mstoy
mstoyAuthor
New Member
August 29, 2022

Hi Tthrilok, thanks for the reply!
Yes, session initiate from the first firewall.
When traffic moves to the second fortigate it really doesn't know about the session.

So I use the asymmetric routing option.

config system settings
    set asymroute enable
I expect if a non-syn packet arrives at the second fortigate then it will pass according to the routing table, without establishing a session and without checking the firewall rules
As described in the article:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-the-FortiGate-behaves-when-asymmetric-routing/ta-p/198575?externalID=FD39943

Asymmetric routing is also enabled on first firewall. 

There are no IPS, antivirus, or other security options on these firewalls. So I use them partly as routers.

I turn on "debug flow" and "debug sniffer" and I don't understand why I don't see packages other than SYN.

i attach the schemescheme.jpg

Terms & ConditionsAccessibility statement