Skip to main content
touqeeranjum
touqeeranjum
Explorer
February 19, 2026
Question

Need To Understand Traffic Path from InterVDOM Link ?!

  • February 19, 2026
  • 3 replies
  • 679 views

Hi All,

I have not done this setup but I need to configure it so I'm trying to understand what needs to be done.

I have the below setup where a BBU is suppose to reach the Target IP but it doesn't..

 
 

Untitled.png

I performed packet capture and sniffer to find out the below, 10.2.186.30 needs to reach Target over the 2 IPSec Tunnels..

 

2026-02-18 14:05:59.077617 CORE in 10.2.186.30 -> 10.136.137.34:  ip-proto-132 16 2026-02-18 14:05:59.077620 CORE in 10.2.186.30 -> 10.136.137.33:  ip-proto-132 16 2026-02-18 14:05:59.077624 VDOMA-VDOMB0 out 10.2.186.30 -> 10.136.137.34:  ip-proto-132 16 2026-02-18 14:05:59.077626 VDOMA-VDOMB0 out 10.2.186.30 -> 10.136.137.33:  ip-proto-132 16 2026-02-18 14:05:59.077627 CORE in 10.2.186.30 -> 10.136.137.34:  ip-proto-132 48 2026-02-18 14:05:59.077629 VDOMA-VDOMB1 in 10.2.186.30 -> 10.136.137.33:  ip-proto-132 16 2026-02-18 14:05:59.077644 VDOMA-VDOMB0 out 10.2.186.30 -> 10.136.137.34:  ip-proto-132 48 2026-02-18 14:05:59.077646 VDOMA-VDOMB1 in 10.2.186.30 -> 10.136.137.34:  ip-proto-132 16 2026-02-18 14:05:59.077649 VDOMA-VDOMB1 in 10.2.186.30 -> 10.136.137.34:  ip-proto-132 48 2026-02-18 14:05:59.081268 CORE in 10.2.186.30 -> 10.136.137.33:  ip-proto-132 48 2026-02-18 14:05:59.081281 VDOMA-VDOMB0 out 10.2.186.30 -> 10.136.137.33:  ip-proto-132 48 2026-02-18 14:05:59.081283 VDOMA-VDOMB1 in 10.2.186.30 -> 10.136.137.33:  ip-proto-132 48

My packet capture shows the packets from BBU comes to InterVDOM Link 172.16.121.2 and then nothing happens..

To start can I know if there is suppose to be Static Route between the IntervDOM link and the IPSec between the VDOMB and Target ?

 

3 replies

touqeeranjum
touqeeranjumAuthor
Explorer
February 19, 2026

There is policy in place allowing traffic from InterVDOM link to TUN IPSec still the BBU can't reach the Target IP..

funkylicious
SuperUser
funkylicious
SuperUser
February 19, 2026

in regards to routes:

- on vdom A you need a route to 10.136.137.X subnet/host towards 172.16.121.2

- on vdom B you need a route to 10.2.186.X towards 172.16.121.1

in regards to firewall rules:

- on vdom A WAN to inter-vdom link

- on vdom B inter-vdom link to IPsec tunnel ( if the source is not port of the selectors of the ipsec tunnel then you need to NAT to a IP that is )

 

on the remote end you need rules to permit traffic and a route back

"jack of all trades, master of none"
    touqeeranjum
    touqeeranjumAuthor
    Explorer
    February 19, 2026

    Appreciate it @funkylicious 

     

    I'm checking these..

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    February 19, 2026

    How far can traceroute from BBU go toward Target? My guess is it dies at VDOMB based on your sniffing output.
    If you're sure 1) route into "TUN" tunnel, 2) phase2 selector is including it (or 0/0<->0/0), and 3) a set of policies allowing both ways between VDOMA-BDOMB0 and TUN, you need to run a flow debug to see why the traffic is dropped at VDOMB.

    https://docs.fortinet.com/document/fortigate/7.6.6/administration-guide/54688/debugging-the-packet-flow

    Toshi

      touqeeranjum
      touqeeranjumAuthor
      Explorer
      February 20, 2026

      Thanks for this, ran the command and found the below..

       

      VDOMA InerVDOM Link

      FTG-LD3-01 (VDOMA) # id=65308 trace_id=202 func=print_pkt_detail line=6019 msg="vd-VDOMA:0 received a packet(proto=132, 10.2.186.30:32768->10.136.137.33:36412) tun_id=10.2.186.30 from OneCell-CORE. " id=65308 trace_id=202 func=ipsec_spoofed4 line=243 msg="src ip 10.2.186.30 match selector 0 range 10.2.186.30-10.2.186.30" id=65308 trace_id=202 func=init_ip_session_common line=6220 msg="allocate a new session-074d5d7a" id=65308 trace_id=202 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-0.0.0.0 via VDOMA-MNO1B0" id=65308 trace_id=202 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=18, len=3" id=65308 trace_id=202 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)" id=65308 trace_id=203 func=print_pkt_detail line=6019 msg="vd-VDOMA:0 received a packet(proto=132, 10.2.186.30:32767->10.136.137.34:36412) tun_id=10.2.186.30 from OneCell-CORE."

       

      VDOMB InerVDOM Link

      id=65308 trace_id=236 func=ipsec_spoofed4 line=243 msg="src ip 10.2.186.30 match selector 0 range 10.2.186.30-10.2.186.30" id=65308 trace_id=236 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-0.0.0.0 via VDOMA-MNO1B0" id=65308 trace_id=237 func=print_pkt_detail line=6019 msg="vd-MNO1B:0 received a packet(proto=132, 10.2.186.30:32768->10.136.137.33:36412) tun_id=0.0.0.0 from VDOMA-VDOMB. " id=65308 trace_id=237 func=ip_route_input_slow line=1696 msg="reverse path check fail, drop" id=65308 trace_id=237 func=ip_session_handle_no_dst line=6306 msg="trace" id=65308 trace_id=238 func=print_pkt_detail line=6019 msg="vd-VDOMA:0 received a packet(proto=132, 10.2.186.30:32768->10.136.137.33:36412) tun_id=10.2.186.30 from OneCell-CORE." id=65308 trace_id=238 func=ipsec_spoofed4 line=243 msg="src ip 10.2.186.30 match selector 0 range 10.2.186.30-10.2.186.30" id=65308 trace_id=238 func=init_ip_session_common line=6220 msg="allocate a new session-074d64f4" id=65308 trace_id=238 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=00000000 gw-0.0.0.0 via VDOMA-MNO1B0" id=65308 trace_id=238 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=18, len=3" id=65308 trace_id=238 func=fw_forward_handler line=839 msg="Denied by forward policy check (policy 0)" id=65308 trace_id=239 func=print_pkt_detail line=6019 msg="vd-VDOMA:0 received a packet(proto=132, 10.2.186.30:32767->10.136.137.34:36412) tun_id=10.2.186.30 from OneCell-CORE."

       

      esalija
      Staff
      esalija
      Staff
      February 20, 2026

      Hi @touqeeranjum 

       

      "vdomA" is receiving packets from onecell-core with source IP 10.2.186.30 and destination IPs 10.136.137.33 and 10.136.137.34.
      The logs show that a route is found with a gateway of 0.0.0.0 via vdomA-MNO1B0, which suggests that the routing table is being consulted.
      The critical issue appears to be that the packets are being "denied by forward policy check (policy 0)". This indicates that there is no matching firewall policy allowing the traffic between these VDOMs.
      In the case of vdomb, there is a "reverse path check fail, drop" message, which suggests that the reverse path forwarding (RPF) check is failing. This could be due to asymmetric routing or incorrect routing configurations.

      Ensure that there are appropriate firewall policies in place to allow traffic between VDOMA and VDOMB. You need to create or modify policies to permit the specific traffic flows.
      Verify the routing configurations to ensure that the routes are correctly set up for both forward and reverse paths. This includes checking static routes and ensuring that the next-hop addresses are reachable.
      If RPF checks are enabled, ensure that the routing is symmetric, or consider disabling RPF checks if appropriate for your network design.

      https://docs.fortinet.com/document/fortiadc/6.2.3/handbook/825811/linking-vdoms-for-inter-vdom-routing
      https://community.fortinet.com/t5/FortiGate/Technical-Tip-Difference-and-understanding-between-NPU-Vdom-link/ta-p/212709
      https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-route-traffic-from-one-VDOM-to-another-one/ta-p/197704
      Best regards,
      Erlin

        Terms & ConditionsAccessibility statement