FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 190533

Description


This article explains the issue where traffic originating from VPN and reply traffic that should be going via the same VPN interface on FortiGate is not working.
The reply traffic ends up in the root interface.

 

Scope

 

FortiGate.

Solution


When trying to ping the remote address via VPN tunnel, the ping does not work.

In the sniffer return traffic is somehow exiting on the root interface and not via the VPN_Tunnel despite it having the route for 10.12.10.0/24 via the VPN_Tunnel interface.

 

diagnose sniffer packet any ‘host 10.1.6.2 and icmp’ 4 0 a

2020-12-10 14:34:12.189914 VPN_Tunnel in 10.12.10.10 -> 10.1.6.2: icmp: echo request
2020-12-10 14:34:12.195421 root out 10.1.6.2 -> 10.12.10.10: icmp: echo reply
2020-12-10 14:34:12.195590 root in 10.1.6.2 -> 10.12.10.10: icmp: echo reply

 

Collect the debug flow:

 

diagnose debug flow filter addr 10.1.6.2
diagnose debug flow filter proto 1
diagnose debug flow trace start 10
diagnose debug enable

 

In the debug flow, filtered for ICMP from/to 10.1.6.2 and 10 packets, it is possible to find that traffic in the reply direction is going via root:

 

id=20085 trace_id=38 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=1, 10.12.10.10:1->10.1.6.2:0) from Port2. type=0, code=0, id=1, seq=9."
id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0004a1f5, reply direction"
id=20085 trace_id=38 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-10.12.10.10 via root"


If such an issue is faced, search for network interfaces overlapping the same range as the VPN IP range, VIP, or IP Pool configured on the FortiGate.

In the above scenario, this was faced because there was VIP configured hence the static route configured was not taken into account.
FortiGate was considering the destination IP for return traffic as its own IP and not forwarding the traffic via the correct interface.

For example:

 

config firewall vip
    edit "vip"
        set extip 10.12.10.1-10.12.10.254
        set extintf "port2"
        set mappedip "10.2.0.1-10.2.0.254"
    next
end

 

Adapt the VIP if needed.

 

If the issue is caused by the IP-pool: instead of removing the IP-pool, disable ARP-reply on the IP-pool to resolve the issue.

 

config firewall ippool

    edit "ip-pool"

        set startip 10.12.0.1

        set endip 10.12.10.254

        set arp-reply disable

    next

end

 

Once the VIP and IP pool configured on FortiGate has been edited, run the sniffer and debug again. It will show traffic following the correct path.

 

Refer to Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4 for IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4.

 

Related document:
IP pools and VIPs are not considered local addresses for certain FortiOS versions - FortiGate Docume...