Skip to main content
SkaBla
SkaBla
New Member
May 12, 2015
Question

VPN tunnel UP but only one way initiation of traffic

  • May 12, 2015
  • 3 replies
  • 17721 views

We try to setup a IPsec tunnel between a Fortigate 100D and a Fortigate 3016B. Software version for the 100D is FortiOS5.0 Patch 4, the 3016B is using FortiOS4.0 Patch 15. Everything looks fine, tunnel is coming up (In Webgui, IPsec-Monitor) But traffic is only passing if initiated from one site (the 100D side)

So, if we ping from a server behind the 100D we are getting a response from the server on the other site. If We try this within approx. 10 min. ping from behind the 3016 is also successfull.

 

If try to ping from behind the 3016B after an amount of time (more then 10 a 15 minutes) we couldn't ping succesfull from a server behind the 3016B to a server behind the 100D.

(So If we initiate form behind the 100D also traffic initiated from behind the 3016B will allowed.

We have checked the configs multiple times and they are the same. Also on both Fortigates we have two policies, one from the tunnel-interface to LAN and vice-versa.

(We are using Interface mode IPsec)

 

Is this a known issue or compatibility problem between the fortigates/software versions? (For both units others tunnels are working fine.

 

We are using AES128/SHA1 for auhtentication and encryption.

 

I hope you can help and we can solve this problem.

    3 replies

    patrick_z
    patrick_z
    New Member
    May 22, 2015

    Hi,

    looks to me like you are doing somewhere unwanted NAT.

    login to cli and have a look on both ends what IP you will see on the interfaces.

    Make sure that you tick "allow traffic to be initiated from the remote site" at the policy on V5.X firewall.

    Otherwise you need to do some debug and look into the tunnel to see the IPs which are

    transported. Make sure that the routing is like it should be. That can cause something like that

    as well.

    Patrick

    SkaBla
    SkaBlaAuthor
    New Member
    May 22, 2015

    Hi Patrick,

     

    thanks for your advice. Since i am a compleet noob, i like to know what i should see at the interfaces. "allow traffic to be initiated from the remote site" is ticked. 

     

    What do you mean by: make sure the routing is like it should be? 

     

    If it works, it works, once there is traffic it stays working, until there is no traffic from the other side/site for more than 10 minutes. The VPN stays up, but no traffic can pass from me side to the other side.

    emnoc
    emnoc
    New Member
    May 22, 2015

    I would start with a diag debug flow on both firewalls with a filter that matches the traffic from your host(s) that your testing. if your not being encrypted than you have a host of issues to look at.

     

    Also keep in mind if your using interface mode  =( which  I guess your are ) you can run the diag sniffer directly aganist the tunnel named interface

     

    e.g

     

     

          diag  sniffer packet <tunnelnameinterface> "host 1.1.1.1"

     

    For now run a diag debug flow on each firewall near and far;

     

     

       diag debug dis

       diag debug reset

       diag debug flow filter addr x.x.x.x

       diag debug flow show console enable

       diag debug en

     

      diag debug flow trace start 100

     

    and then execute a ping from the host  (x.x.x.x )

     

    After completion disable the debug process

     

     

     diag debug disable

     

    The diag debug flow is your 1st step always for t-shooting for flow issues.

     

    Ken

     

    ralphian08
    ralphian08
    New Member
    May 25, 2015

    Hi There

     

    I think this was happen to me before. It showing your VPN status is UP but there is no traffic.

    Try to set up a static routing to your destination.

    From your Fortigate GUI Router->Static Routes and set the static routing

    That should work...

    Terms & ConditionsAccessibility statement