Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kmohan
Staff
Staff

Created on ‎12-04-2024 12:32 AM Edited on ‎04-10-2025 11:46 PM By Community Manager

Article Id 362218

Technical Tip: IPsec VPN site to site traffic is denied by Forward Check policy or Policy ID 0

Description

 

This article describes that in IPsec Site-to-Site VPN or DailUp VPN, there is one-way traffic and no return traffic from FortiGate to other FortiGate firewalls.

 

Scope

 

FortiGate.

 

Solution

 

Topology:

Local Server --------FortiGate-1-------IPSEC Tunnel-----FortiGate-2----Remote Server.


Configuration follows the below article: Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

 

After the configuration is done, if the tunnels are up but the traffic is not sending out from FortiGate-1 to FortiGate-2.

 

Take Sniffer and debug:

 

diagnose sniffer packet any " host x.x.x.x and host y.y.y.y" 6 0 l 

 

x.x.x.x ---> Source IP address.

y.y.y.y ---> Destination IP address.

 

If the traffic is received from the server end but the traffic is sent out via 'Tunnel Interface', take the debug log with the below command line:

 

diagnose de reset

diagnose debug flow filter saddr x.x.x.x ------> Source IP address.

diagnose debug flow filter daddr y.y.y.y -------> Destination IP address.
diagnose debug flow show function-name enable

diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999 ------> Number of captured packets.
diagnose debug enable

 

After 5 or 6 sec, disable the debug as follows:

 

diagnose debug disable

 

Debug errors usually get like 'denied by Forward Check policy or Policy ID 0'.

 

Check the firewall policy and configure with the below rules:

 

IPsec tunnel to Lan Policy -> Set Source and Destination to 'All'.

Lan Policy to IPsec Tunnel -> Set Source and Destination to 'All'.

 

Check it again, the two-way traffic sending out from the FortiGate-1 to the FortiGate-2.

 

Next Steps:

  • It is necessary to check another Fortigate-2 with the same troubleshooting steps.
  • If the IP address is still not reachable, try to enable Source NAT from the 'Tunnel to Lan Policy'. After that, the IP address is reachable.
  • Enabling SNAT is only a workaround in case there is no reverse route from the destination, this should be addressed by the intermediate device between FortiGate to the LAN PC.

Make sure there is no ACL configured on the switch to receive traffic from a particular source or service. 

 

Then, it is not a FortiGate issue. Ask the user to check on the local subnet if the redirection traffic is not allowed.

 

If the source IP addresses of the packets coming from the IPsec tunnel are not part of a network that the LAN devices know how to route back to, they might not respond correctly. By enabling SNAT, the source address is translated to an address on the LAN, ensuring the LAN devices see the traffic as originating from within their subnet.

 

Once the user allows the traffic from the local subnet, it will work.

257
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.