FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 190533


This article explains the issue where traffic originating from VPN and reply traffic that should be going via the same VPN interface on FortiGate is not working.
The reply traffic ends up in the root interface.






When trying to ping the remote address via VPN tunnel, the ping does not work.

In the sniffer return traffic is somehow exiting on the root interface and not via the VPN_Tunnel despite it having the route for via the VPN_Tunnel interface.


diagnose sniffer packet any ‘host and icmp’ 4 0 a

2020-12-10 14:34:12.189914 VPN_Tunnel in -> icmp: echo request
2020-12-10 14:34:12.195421 root out -> icmp: echo reply
2020-12-10 14:34:12.195590 root in -> icmp: echo reply


Collect the debug flow:


diagnose debug flow filter addr
diagnose debug flow filter proto 1
diagnose debug flow trace start 10
diagnose debug enable


In the debug flow, filtered for ICMP from/to and 10 packets, it is possible to find that traffic in the reply direction is going via root:


id=20085 trace_id=38 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=1,> from Port2. type=0, code=0, id=1, seq=9."
id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0004a1f5, reply direction"
id=20085 trace_id=38 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw- via root"

If such an issue is faced, search for network interfaces overlapping the same range as the VPN IP range, VIP, or IP Pool configured on the FortiGate.

In the above scenario, this was faced because there was VIP configured hence the static route configured was not taken into account.
FortiGate was considering the destination IP for return traffic as its own IP and not forwarding the traffic via the correct interface.

For example:


config firewall vip
    edit "vip"
        set extip
        set extintf "port2"
        set mappedip ""


Adapt the VIP if needed.
Once the VIP or IP pool configured on FortiGate is removed, run the sniffer and debug again and it will show traffic following the correct path.

Related document:
IP pools and VIPs are not considered local addresses for certain FortiOS versions