Skip to main content
Moxeq
Moxeq
Explorer
December 25, 2023
Solved

Hub and Spoke VPN issue

  • December 25, 2023
  • 3 replies
  • 3262 views

Hello Guys.

 

I'm facing issue with the Hub and Spoke topology showed in the picture, I added Spoke1 to newly to the topology and I can ping from any device behind the spokes subnets to the subnet behind the spoke1 but not the reverse!

I can ping from (172.16.11.2) behind Spoke1 to (10.11.22.14) behind the Hub.

But, I can not ping from (172.16.11.2) behind Spoke1 to (172.16.6.28) behind Spoke3 (the reverse ping working!).

the funniest thing is that another IP from the same subnet is pingable! 

when I try to ping (172.16.6.233) it just works fine. 

Any idea? HubANDspokeimage.png

 

Best answer by Moxeq

Hi All,

 

the issue is resolved, but I did a work around, I enabled NAT on the outgoing policy on Spoke1

 

all the other spokes and the hub working without NAT enabled.

 

something bad happened in the routing when it goes out from spoke1 to the other spokes, I did not figure it out yet.

 

If any one has an idea please share it here.

 

Thx

3 replies

dbu
Staff
dbu
Staff
December 25, 2023

Hi @Moxeq ,

Analyzing the provided there is no routing or configuration issue since you are able to ping another IP from same subnet. I would advise to have a look at the configuration of the device which is not reachable. (Ping the gateway and than ping the spoke 1 subnet)

adimailig
Staff & Editor
adimailig
Staff & Editor
December 26, 2023

As per the behaviour it seems ping is not allowed on destination device 172.16.6.28.
To further confirm that traffic is being received and forwarded by Spoke3 Fortigate, kindly run packet capture (sniffer) or debug flow. 
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

Also please share traceroute to check where the traffic stops.

Moxeq
MoxeqAuthorAnswer
Explorer
December 28, 2023

Hi All,

 

the issue is resolved, but I did a work around, I enabled NAT on the outgoing policy on Spoke1

 

all the other spokes and the hub working without NAT enabled.

 

something bad happened in the routing when it goes out from spoke1 to the other spokes, I did not figure it out yet.

 

If any one has an idea please share it here.

 

Thx

Terms & ConditionsAccessibility statement