Skip to main content
fatherfinch
fatherfinch
New Member
September 16, 2015
Solved

sFlow across an IPSec Tunnel

  • September 16, 2015
  • 2 replies
  • 4521 views

     I have an IPSec site to site tunnel between a FortiGate 110C and Cisco ASA5510.  There is a single NAT happening on the Fortigate side that translates the LAN addresses to a block of addresses.  All traffic between the hosts on the ASA side and hosts on the FortiGate LAN are working correctly.  The issue comes into play when self originated traffic from the 110C is pushed across the tunnel, in particular sFlow data.  When the source IP is set to default, the traffic is pushed from the WAN IP to the tunnel interface.  When the source IP is set as the LAN interface the traffic is being directed to the tunnel,  however, it is not using the NAT pool of addresses for the tunnel traffic. 

 

As a test I used IMCP to flesh this out.  

execute ping-options source 0.0.0.0

execute ping ASA HOST

this fails

execute ping-options source LAN IP

execute ping ASA HOST

this fails

execute ping-options source TUNNEL NAT POOL 

execute ping ASA HOST

this is successful

 

What am I missing to NAT self generated traffic?

 

Thanks!

 

    Best answer by emnoc

    I would diag debug flow is your friend. I would start with that, look at the diag output. I would pre-warn you tho, it's hard to get the "local" traffic SNAT. Since the fw-policies are not in play that has SNAT.

     

    Alternative you could set a filter for the collector dst and run it thru the   diag sys session list

     

    e.g assuming my collector was the following;

     

    config system sflow     set collector-ip 9.9.9.1    <-------collector     set collector-port 65001     set source-ip 192.0.2.28 end

     

    config system interface     edit "loop0"         set vdom "root"         set ip 192.0.2.28 255.255.255.255         set type loopback         set snmp-index 891     next end

     

    So we would use  the following filter ;

     

    diag sys session filter dst 9.9.9.1

    diag sys session list

     

    You will find your are most likely matching  the policy-id0 and not a "regular fwpolicy"

     

    YMMV on  the diagnostic approach you take but to xlate from a local sourc'd packet is very hard todo.

     

     

     

     

    2 replies

    emnoc
    emnocAnswer
    New Member
    September 16, 2015

    I would diag debug flow is your friend. I would start with that, look at the diag output. I would pre-warn you tho, it's hard to get the "local" traffic SNAT. Since the fw-policies are not in play that has SNAT.

     

    Alternative you could set a filter for the collector dst and run it thru the   diag sys session list

     

    e.g assuming my collector was the following;

     

    config system sflow     set collector-ip 9.9.9.1    <-------collector     set collector-port 65001     set source-ip 192.0.2.28 end

     

    config system interface     edit "loop0"         set vdom "root"         set ip 192.0.2.28 255.255.255.255         set type loopback         set snmp-index 891     next end

     

    So we would use  the following filter ;

     

    diag sys session filter dst 9.9.9.1

    diag sys session list

     

    You will find your are most likely matching  the policy-id0 and not a "regular fwpolicy"

     

    YMMV on  the diagnostic approach you take but to xlate from a local sourc'd packet is very hard todo.

     

     

     

     

    fatherfinch
    fatherfinchAuthor
    New Member
    September 16, 2015

    Thanks emnoc!  I will give this a shot later on today when I have access to the system.  I just connected to local system to read through the output of the session list.  I will probably find my answer there.  

    Terms & ConditionsAccessibility statement