Skip to main content
FredMB
FredMB
New Member
October 6, 2016
Solved

Some traffic goes through VPN, some other don't

  • October 6, 2016
  • 2 replies
  • 12390 views

Hi,

 

I have a VPN between 2 Fortigate and I notice a strange behaviour : 

Some machines on one network can ping machines on the other side of the VPN while others can't.

Checking in Fortiview / sessions, I discovered that some of them correctly execute the ping through the VPN while the other are trying to connect through WAN (and so it doesn't work).

 

I configured policies for traffic going from and to the other side of VPN, and route to remote network using the corresponding vpn interface.

 

In attachment is an example of what happens. My local network is 10.1.0.0/16 and the remote network is 192.168.0.0/16.

 

Do you have any idea on how to solve this problem ?

 

THank you very much,

 

Regards,

 

Fred

    Best answer by emnoc

    What I would do;

     

    run diag debug flow to se what happens

     

    inspect routing table static and PBR to ensure the route is correct for the src/dst

     

    review  policyid 1+5  and possible ordering, look for any nat-enable on the policy that does NOT work.

     

    ken

     

     

     

     

    2 replies

    emnoc
    emnocAnswer
    New Member
    October 6, 2016

    What I would do;

     

    run diag debug flow to se what happens

     

    inspect routing table static and PBR to ensure the route is correct for the src/dst

     

    review  policyid 1+5  and possible ordering, look for any nat-enable on the policy that does NOT work.

     

    ken

     

     

     

     

    FredMB
    FredMBAuthor
    New Member
    October 6, 2016

    Hi, 

     

    Thank you for your answer.

    The routing table seems to be correct and we don't use PBR.

    Static 0.0.0.0/0 87.198.xxx.yyy wan1 100

    Connected 10.1.0.0/16 0.0.0.0 internal 00

    Connected 10.2.0.0/16 0.0.0.0 vlan_voip 00

    Static 10.7.0.0/16 0.0.0.0 vpn_asp 100

    Connected 87.198.xxx.yyy/29 0.0.0.0 wan1 00

    Static 192.168.0.0/16 0.0.0.0 vpn_evry_1-1 50

     

     

    Regarding policies :

    - policy 1 (default lan to wan) : nat is enabled

    - policy 5 (lan to vpn) : nat is disabled  (UTM features are also disabled)

     

    Here is an export of diag debug flow : 

    RT359-201605 # 2016-10-06 16:21:29 id=20085 trace_id=73 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=1, 10.1.1.51:26853->192.168.200.3:8) from internal. code=8, type=0, id=26853, seq=1." 2016-10-06 16:21:29 id=20085 trace_id=73 func=init_ip_session_common line=4624 msg="allocate a new session-0008b473" 2016-10-06 16:21:29 id=20085 trace_id=73 func=vf_ip4_route_input line=1586 msg="Match policy routing: to 87.198.xxx.yyy via ifindex-5" 2016-10-06 16:21:29 id=20085 trace_id=73 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-87.198.xxx.yyy via wan1" 2016-10-06 16:21:29 id=20085 trace_id=73 func=fw_forward_handler line=686 msg="Allowed by Policy-1: SNAT" 2016-10-06 16:21:29 id=20085 trace_id=73 func=ids_receive line=239 msg="send to ips" 2016-10-06 16:21:29 id=20085 trace_id=73 func=__ip_session_run_tuple line=2593 msg="SNAT 10.1.1.51->87.198.xxx.zzz:62464"

     

     

    87.198.xxx.zzz is the public ip of wan1

    87.198.xxx.yyy is the public ip of the gateway of wan1

     

    By the way, I forgot to provide basic informations : Fortigate 60D with FortiOS 5.2.9

    Regarding WAN configuration, we use wan load balancing and wan2 is actually administratively disabled.

     

     

    emnoc
    emnoc
    New Member
    October 6, 2016

    Hmm. see bold section;

     

    2016-10-06 16:21:29 id=20085 trace_id=73 func=vf_ip4_route_input line=1586 msg="Match policy routing: to 87.198.xxx.yyy via ifindex-5" 2016-10-06 16:21:29 id=20085 trace_id=73 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-87.198.xxx.yyy via wan1" 2016-10-06 16:21:29 id=20085 trace_id=73 func=fw_forward_handler line=686 msg="Allowed by Policy-1: SNAT" 2016-10-06 16:21:29 id=20085 trace_id=73 func=ids_receive line=239 msg="send to ips" 2016-10-06 16:21:29 id=20085 trace_id=73 func=__ip_session_run_tuple line=2593 msg="SNAT 10.1.1.51->87.198.xxx.zzz:62464"  

     

    If I had to guess this is PBR and matching fwpolcyid1

     

    Can you do a show router policy from the cli ?

     

    ken

    dropgear
    dropgear
    New Member
    October 9, 2016

    did u create static route for it. this vpn is under interface vpn option right?

    Terms & ConditionsAccessibility statement