Skip to main content
kliminon
kliminon
New Member
April 13, 2021
Question

Remote Site --> HQ --> VPN/Azure

  • April 13, 2021
  • 2 replies
  • 1835 views

I have an IPSEC VPN built on a Fortinet 200E and working between our HQ and Azure. I have several VM's in Azure and traffic flows successfully. I now want to route traffic from some remote locations to Azure via the VPN. These locations are currently connected to HQ.

Basic topology: 

HQ - Lan1

Remote Locations - Wan1

Internet - Wan2

I have policies for HQ to Azure (Lan1 --> Azure VPN interface) and the remote locations (Wan1 --> Azure VPN interface). When pinging from a remote location I see the traffic handed off to the Azure VPN but nothing comes back. I see no traffic when pinging from Azure to the remote location. 

I believe that this indicates a problem on the Azure side but I have been unsuccessful in capturing packets to verify this. 

Dows anyone have any experience in this scenario?

Thanks

 

    2 replies

    abarushka
    Staff
    abarushka
    Staff
    June 8, 2022

    Hello,

     

    In case traffic is lost between FortiGate and Azure side you may consider to decrypt ESP packets. Please find the details by following the link below:

     

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Decrypt-ESP-packets/ta-p/198431?externalID=FD48280

    A
    Anonymous_User
    Contributor
    June 8, 2022

    Hi Team,

     kindly execute the below commands on  the fortigate firewall and share us the output.


    Open cli of the firewall at HQ

    #diag sniffer packet any 'host a.b.c.d and icmp' 4 0 a where a.b.c.d is the remote destination ip which is the private ip.

    please do the continous ping to the destination ip and once the logs are generated ,please download and attach it to the case.

     

    open another console @HQ

    #diag sniffer packet any 'host a.s.d.f and icmp' 6 0 a where a.s.d.f is the remote gateway ip which is the public ip.

    please do the continous ping to the gateway ip  and once the logs are generated you can download and share it here.

     

     

     

    2)Kindly share us the logs for the below commands by executing on fortigate firewall.

     

    #diagnose vpn tunnel list .

     

    3)In another console 

    #diag debug reset

    #diag debug flow filter addr m.n.o.p   ===>where m.n.o.p is the  destination  ip which is the private  ip.

    #diag debug flow filter proto 1

    #diag debug flow show function-name enable

    #diag debug flow trace start 1000

    #diag debug enable

    Please do the continous ping to the destination ip and share us the logs.

     

    Once the logs are generated please execute below command to disable the debug logs.

    #diag debug disable

     

     

      Terms & ConditionsAccessibility statement