Description |
This article describes how to resolve a scenario where ESP packets are being allowed by the ISP to the FortiGate, but there is no response back to the remote gateway that initiated this traffic, especially in the case of a VPN client contacting the Dial-up server. |
Scope | FortiGate - IPsec tunnels. |
Solution |
The reason for this issue on a FortiGate firewall can vary. Below are some recommendations for fixes and troubleshooting steps:
get router info router-table all get router info routing-table details x.x.x.x <- Remote gateway.
diagnose sniffer packet any “port 500 or port 4500” 4 0 l
get vpn ipsec tunnel summary diagnose vpn tunnel list name <phase1-name>
config vpn ipsec phase1-interface edit <phase1-name> set npu-offload disable end
Modify the VIP to use port forwarding or, if applicable, to use a different external address than the IPsec tunnel local gateway/source interface IP:
config firewall vip edit <vip> set extip y.y.y.y <- Different from the IPsec local gateway IP.
Or:
set portforward enable set portmapping-type 1-to-1 set extport xxxx set mappedport xxxx
diagnose debug reset diagnose debug flow filter addr x.x.x.x <- Remote gateway IP. diagnose debug flow show function-name enable diagnose debug flow trace start 10 diagnose debug console time enable diagnose debug enable
diagnose debug reset diagnose vpn ike log-filter dst-addr4 x.x.x.x <- The filter is rem-addr4, starting from FortiOS 7.4. diagnose debug application ike -1 diagnose debug console time en diagnose debug enable |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.