Skip to main content
ergalez
ergalez
New Member
November 25, 2021
Question

IP Sec Tunnel Interface is UP, but i can't do a ping to remote pc

  • November 25, 2021
  • 7 replies
  • 26417 views

Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.evidencia.png

7 replies

Shivasagar
Staff
Shivasagar
Staff
November 25, 2021

Hello,
In the firewall policy, are you logging all allowed traffic? Do you see any Rx for a particular log entry or only Tx?
You can get more information about the traffic using below debug flow with appropriate filters.
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
This would show you where the packet is going.

ergalez
ergalezAuthor
New Member
November 29, 2021

Hi ShivSagar, thank you. Yeah, in the firewall policy i logging all allowed traffic. With the packet debug flow i see the packet that i send in both fortigates coming in the VPN interface. But still it doesn't ping, what I notice in both fortigates on the IPSec monitor is that there is only Outgoing Data and no Incoming Data.

I don't know what else to do, and I eliminated the VPNs and recreated them, I did a flush and reset the tunnel and it remains the same :(

rwpatterson
rwpatterson
New Member
November 29, 2021

Make sure that the distance for the static routes for the tunnels has a smaller number for the distance than the default.

ergalez
ergalezAuthor
New Member
November 29, 2021

Hi Bob, thanks for your time, I have configured the static route with the distance in 1 in both fortigates. But I still don't ping. If you have time and even if there is a cost involved, could you help me to solve this problem please

 

Static1.pngStatic2.png

Shivasagar
Staff
Shivasagar
Staff
November 30, 2021

From the CLI, can you check the output of "get router info routing-table details <remote IP>" to view the route which is taking and check if it's the correct one?

sw2090
SuperUser
sw2090
SuperUser
December 1, 2021

Are you sure the tunnel is up competely? In Firmware prior to 6.4 the IPSec Monitor (and also the ike debug log) do not show Phase2. Since 6.4 it does show phase2 at least in IPSec Monitor.

So maybe your Phase1 came up and the tunnel is marked as up in monitor but phase2 is not up.  Unfortunately that is rather hard to debug as there is no logs for Phase2 :(

The result would be that no traffic can yet pass your tunnel...

ergalez
ergalezAuthor
New Member
December 1, 2021

Hi sw2090 thank your for your time.

 

I follow this link to troubleshooting the IPSec phases.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955?externalID=FD46611

 

And if run this command in my Fortigate 60E, the status of Phase1 is established.

ergalez_0-1638367634816.png

 

And if i check the Phase 2, the SA =1 that i think the indicates IPsec SA is matching and there is traffic between the selectors

 

ergalez_1-1638367827949.png

 

I honestly don't know what else to do, I've thought about restarting the Fortigates but I'm afraid that the other VPNs that I have configured will stop working as well.

 

sw2090
SuperUser
sw2090
SuperUser
December 1, 2021

yes it does. So Tunnel is up completely. 

Did you try to flow trace the traffic to see if it matched policies and routing is correct?

 

diag debug enable

diag debug flow filter daddr=<destinationip>

diag debug flow filter saddr=<sourceip>

diag debug flow trace start <numberofpackets>

 

that will show you what the FGT does with the traffic.

FGT uses the routing table to determine the path to the destination in Step #1

In Step #2 it looks for a matching policy. It does top down and the first match will win the packet.

If there is no policy that matches it would hit policy #0 (which is the deny everything from/to everywhere one). 

However the fact that the tunnel is up tells me that there has to be at least one policy that references it (because otherwise it would not come up). However that does not neccessarily mean that it matches your traffic...

Sylvan
Sylvan
New Member
December 1, 2021

Could you please check if you are filtering the traffic that is traversing the VPN on your phase 2? If the static route is correct, if the security policies are correct, then the only thing I can think of is the phase 2 configuration. 

Harbib
Staff
Harbib
Staff
December 1, 2021

Hello,

You can try disabling the NP acceleration for IPSEC VPN phase 1 on the 60E, and perform the test again

https://docs.fortinet.com/document/fortigate/7.0.0/hardware-acceleration/636026/disabling-np-acceleration-for-individual-ipsec-vpn-phase-1s

 

 

ergalez
ergalezAuthor
New Member
December 2, 2021

Hi, thank you four your time, i disable the NP acceleration for IPSEC VPN phase 1 and  i still can't receive inbound traffic and port 500 is still used when i do this command.

diag sniffer packet any 'host <peer public ip>' 6 0 a

 

pavankr5
Staff
pavankr5
Staff
October 12, 2023

Hello,

 

Please check this article on Not able to ping the Ipsec VPN remote peer network 
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Not-able-to-ping-the-Ipsec-VPN-remote-peer/ta-p/195439

Thanks

Pavan

Terms & ConditionsAccessibility statement