Skip to main content
vstrabello
vstrabello
Explorer
November 15, 2014
Question

TCP syn-only on VPN

  • November 15, 2014
  • 3 replies
  • 7968 views

Hello, we have a customer where we set a VPN to one of it's partners and when someone tries to access the server, it does not repond. By seeing on sniffer diagnose tool, I can see only syn flag on TCP and there´s no ack from the servers. We also have checked both the service (other partner accessing via VPN) and user at this impacted VPN just can do pings. How to proceed? VPN is UP and running. 

 

Thanks!

 

Vitor

    3 replies

    emnoc
    emnoc
    New Member
    November 15, 2014

    Qs & checks

     

    Diag debug flow is your friend. I'm assuming  this is a site2site vpn between 2 FGTs?

     

    Did you run a diag sniffer  packet on both units at the same time?

     

    Did you trip check the policies for both sides?

     

    if it's a route-based vpn ( please say yes  ) did you check for route on the server side point back to the client ( this may explain the  missing syn-ack )

     

     

     

     

     

    mjcrevier
    mjcrevier
    New Member
    November 16, 2014

    SSH to the firewall then edit the firewall policy for "inside" --> "IPSec Tunnel" and disable auto-asic-offload.

     

    example:

     

    config firewall policy

        edit <Policy ID>         set auto-asic-offload disable     next

    end

    Rewanta_FTNT
    Staff
    Rewanta_FTNT
    Staff
    November 20, 2014

    Hi,

     

    If you are running FGT NP2/NP4/NP6 equipped devices for the vpn tunnel, please open a support ticket for the investigating. 

     

    Rewanta

     

     

    Terms & ConditionsAccessibility statement