Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
VinayHM
Staff
Staff

Created on ‎01-23-2026 04:20 AM

Article Id 350375

Troubleshooting Tip: Not able to reach the local network via IPsec when the IPsec tunnel is UP

Description This article addresses the issue of local networks being unreachable despite the IPsec tunnel status indicating as active.
Scope FortiGate.
Solution

In this scenario, it is not possible to reach the local network despite the tunnel being active. Only incoming bytes are observed; no return traffic, and sent bytes remain at zero.

 

Topology:

  • 192.168.0.0/16 — FortiGate — IPsec — FortiGate1 10.33.0.0/16

In this topology, IP 10.33.205.201 attempts to reach 192.168.2.28 over IPsec.

Routes are configured but appear inactive.

 

Debug logs:

 

Firewall # get router info routing-table details 10.33.0.0

Routing table for VRF=0
Routing entry for 10.33.0.0/16
Known via "static", distance 254, metric 0, best
* directly connected, Null

Routing entry for 10.33.0.0/16
Known via "static", distance 10, metric 0
via xyz tunnel 10.0.0.4 vrf 0 inactive, tun_id <-----

 Firewall # id=65308 trace_id=23 func=print_pkt_detail line=5879 msg="vd-QANA:0 received a packet(proto=1, 10.33.205.201:1->192.168.2.8:2048) tun_id=10.0.0.4 from WV--TO--SAV. type=8, code=0, id=1, seq=
2078."
id=65308 trace_id=23 func=init_ip_session_common line=6063 msg="allocate a new session-48eba2b1"
id=65308 trace_id=23 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
id=65308 trace_id=23 func=ip_session_handle_no_dst line=6149 msg="trace"
id=65308 trace_id=24 func=print_pkt_detail line=5879 msg="vd-QANA:0 received a packet(proto=1, 10.33.205.201:1->192.168.2.8:2048) tun_id=10.0.0.4 from xyz. type=8, code=0, id=1, seq=2079."
id=65308 trace_id=24 func=init_ip_session_common line=6063 msg="allocate a new session-48ebac92"
id=65308 trace_id=24 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"   <---
id=65308 trace_id=24 func=ip_session_handle_no_dst line=6149 msg="trace"

 Firewall # id=65308 trace_id=25 func=print_pkt_detail line=5879 msg="vd-QANA:0 received a packet(proto=1, 10.33.205.201:1->192.168.2.8:2048) tun_id=10.0.0.4 from WV--TO--SAV. type=8, code=0, id=1, seq=
2080."
id=65308 trace_id=25 func=init_ip_session_common line=6063 msg="allocate a new session-48ebb7ad"
id=65308 trace_id=25 func=ip_route_input_slow line=2268 msg="reverse path check fail, drop"
id=65308 trace_id=25 func=ip_session_handle_no_dst line=6149 msg="trace"

 

Solution:

 

Restart the routing table using the appropriate command during the scheduled downtime or maintenance window.

 

Command to restart the route:


exe router restart
45
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.