Site to Site VPN

Forum|Forum|7 years ago
August 2, 2018
3 replies
26248 views

Hi Guys,

Kindly help me on this. I have fortinet firewall and i have form site to site VPN but i unable to reach/ping 172.17.10.137:514.

Here is the debug log.

-- 172.17.10.137 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss FGT90D3Z13005673 # exe no object in the end Command fail. Return code -160 FGT90D3Z13005673 # diag debug enableid=20085 trace_id=33 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=33 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=33 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=33 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=33 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=33 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=34 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=34 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=34 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=34 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=34 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=34 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=35 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=35 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=35 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=35 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=35 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=35 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=36 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=36 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=36 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=36 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=36 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=36 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=37 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=37 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=37 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=37 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=37 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=37 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=38 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=38 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=38 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=38 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=38 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=39 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=39 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=39 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=39 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=39 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=39 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=40 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=40 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=40 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=40 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=40 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=40 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=41 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=41 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=41 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=41 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=41 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=41 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=42 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=42 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=42 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=42 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=42 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=42 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=43 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=43 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=43 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=43 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=43 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=43 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=44 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=44 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=44 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=44 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=44 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=44 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=45 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=45 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=45 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=45 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=45 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=45 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=46 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=46 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=46 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=46 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=46 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=46 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=47 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=47 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=47 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=47 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=47 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=47 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1"

Toshi_Esumi

SuperUser

I would recommend removing NAT on the incoming policy for VPN traffic unless you have a reason to hide the subnet on the other end. Instead you should have proper routes on both ends to route each other.

Then when you started this flow debugging a session has already been established so it doesn't show the beginning. Once you dropped the NAT, start the debugging first then quickly access the destination from the other end so that you can capture the begging of the session.

sivakumar28200Author

New Member

There is no NAT.

164586.png

Iescudero

New Member

Hi there!

It seems that the other peer is dropping the packets.

Can you check the other side of the vpn?

sivakumar28200Author

New Member

Hi there,

The other site is connected to Sophos firewall. How do I check that. Kindly advise. Thanks.

Regards,

Siva Kumar

Toshi_Esumi

SuperUser

A VPN is to connect private-to-private over a tunnel established public-to-public peers. You should test ping between both ends private-to-private, and you should be able to if it's working properly.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded