Skip to main content
ddemland
ddemland
New Member
December 6, 2018
Question

Remote VPN user cannot access Router to Router VPN Servers

  • December 6, 2018
  • 2 replies
  • 10321 views

 

I am running 5.6.6 on a Fortigate 60D, I have a remote VPN client that connects to the local Fortigate and the local Fortigate already a router to router connection with our hosted network. The VPN client when trying to reach a host on the router to router connection gets the following trace:

 

id=20085 trace_id=931 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=356." id=20085 trace_id=931 func=init_ip_session_common line=5454 msg="allocate a new session-0028d989" id=20085 trace_id=931 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb" id=20085 trace_id=931 func=fw_forward_handler line=737 msg="Allowed by Policy-8:" id=20085 trace_id=931 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=931 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=932 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=357." id=20085 trace_id=932 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=932 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=932 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=932 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=933 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=358." id=20085 trace_id=933 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=933 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=933 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=933 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=934 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=359." id=20085 trace_id=934 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=934 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=934 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=934 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"

I have no idea how to handle this. The “SA not ready” message does not make sense to me since this tunnel is up all the time. What am I missing to allow the remove VPN using to access the remote systems?

 

Thank You,

 

David Demland

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 6, 2018

    Do your phase2 network selectors include this source IP 10.77.250.102?

    ddemland
    ddemlandAuthor
    New Member
    December 7, 2018

    Yes I have the following:

     

    10.77.250.0/255.255.255.0      10.40.108.0/255.255.255.0

     

    I also a a couple of other networks in the selectors, but they are for internal users not remote VPN users.

     

    David

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 7, 2018

    Then you have to start debugging with 1) sniffer to see how far it can get to, then 2) flow debugging to see why it's dropped. Make sure you disable asic offloading on the policies for debugging.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    December 7, 2018

    The ping requests are not going into the tunnel yet. The "not ready yet" regularly showed when the first packet tries to reach the other end. And it might fail but it would trigger bringing the SA up then subsequent packets would be able to use the SA like in below example at KB for a different topic.

      https://kb.fortinet.com/k....do?externalID=FD31403

    I suspect asic offload is somehow failing. If it's successful, the rest of trace shouldn't show up. As I mentioned disable auto-asic-offload on the set of policies as well as the tunnel config for the site-to-site vpn to see if that's the issue.

    At another post someone mentioned about an off-load problem with 5.6.6 as well. The set-up was completely different though including policy-routes.

     

    Terms & ConditionsAccessibility statement