Description
This article explains the issue where traffic originating from VPN and reply traffic that should be going via the same VPN interface on FortiGate is not working.
The reply traffic ends up in the root interface.
Scope
FortiGate.
Solution
When trying to ping the remote address via VPN tunnel, the ping does not work.
In the sniffer return traffic is somehow exiting on the root interface and not via the VPN_Tunnel despite it having the route for 10.12.10.0/24 via the VPN_Tunnel interface.
diagnose sniffer packet any ‘host 10.1.6.2 and icmp’ 4 0 a
2020-12-10 14:34:12.189914 VPN_Tunnel in 10.12.10.10 -> 10.1.6.2: icmp: echo request
2020-12-10 14:34:12.195421 root out 10.1.6.2 -> 10.12.10.10: icmp: echo reply
2020-12-10 14:34:12.195590 root in 10.1.6.2 -> 10.12.10.10: icmp: echo reply
Collect the debug flow:
diagnose debug flow filter addr 10.1.6.2
diagnose debug flow filter proto 1
diagnose debug flow trace start 10
diagnose debug enable
In the debug flow, filtered for ICMP from/to 10.1.6.2 and 10 packets, it is possible to find that traffic in the reply direction is going via root:
id=20085 trace_id=38 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=1, 10.12.10.10:1->10.1.6.2:0) from Port2. type=0, code=0, id=1, seq=9."
id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0004a1f5, reply direction"
id=20085 trace_id=38 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-10.12.10.10 via root"
If such an issue is faced, search for network interfaces overlapping the same range as the VPN IP range, VIP, or IP Pool configured on the FortiGate.
In the above scenario, this was faced because there was VIP configured hence the static route configured was not taken into account.
FortiGate was considering the destination IP for return traffic as its own IP and not forwarding the traffic via the correct interface.
For example:
config firewall vip
edit "vip"
set extip 10.12.10.1-10.12.10.254
set extintf "port2"
set mappedip "10.2.0.1-10.2.0.254"
next
end
Adapt the VIP if needed.
If the issue is caused by the IP-pool: instead of removing the IP-pool, disable ARP-reply on the IP-pool to resolve the issue.
config firewall ippool
edit "ip-pool"
set startip 10.12.0.1
set endip 10.12.10.254
set arp-reply disable
next
end
Once the VIP and IP pool configured on FortiGate has been edited, run the sniffer and debug again. It will show traffic following the correct path.
Refer to Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4 for IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.
Related document:
IP pools and VIPs are not considered local addresses for certain FortiOS versions - FortiGate Docume...
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.