Problems with ADVPN rule

Question

Long time reader, first time poster....Have a head scratcher here....

Have a multi site customer running ADVPN. ADVPN is established and I have my rules built. However, access to one of the subnets at the HUB site is not reachable, I can reach all over subnets at the hub site. I verified my routing is in place, and all my other spokes can reach this just fine. After I verified I didn't have any routing issues, I turned to policies. First I checked my HUB sute to make sure I didn't need to add an address object to the inbound ADVPN rule, nope, good there (It's set to All) SO I moved to my branch site.

My spoke rule is:

Source: Internal Zone

Dest: ADVPN HUB

Originating: Internal Group (has all my internal subnets)

Dest: All

Services: All

NAT: Disabled

I do have a recursive rule as well.

when I do a policy lookup from any of my internal VLANs to 192.168.1.4 I get:

"Policy lookup matches the implicit deny policy. No explicit policy exists from source interface "Int-Wire-104" to destination interface "ADVPN HUB" as determined by a route lookup to "192.168.1.4"

Int-Wire-104 is part of my internal zone

if I change it to 10.5.24.1 which is my Core switch at the hub location it hits the rule referenced above.

I tried deleting and rebuilding my rules as well just to rule out a fortibug we run into with SSLVPN rules from time to time where we have to delete and rebuild them for them to work....

Firmware is 5.4.4

Model is a 200E

jevilsizor · Answer

Actually figured out the issue last night....  It was trying to route traffic to the management interface.  As soon as it was disabled traffic moved across the advpn as it should have

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded