Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Umer221
Staff
Staff

Created on ‎09-28-2023 09:29 PM Edited on ‎09-15-2025 05:46 AM By Staff

Article Id 276560

Troubleshooting Tip: Troubleshooting IPsec VPN Routing Issues related to Reverse Path Forwarding (RPF)

Description This article describes how to diagnose and mitigate routing challenges associated with Reverse Path Forwarding (RPF) in IPsec VPNs on FortiGate.
Scope FortiGate, IPsec VPNs, Reverse Path Forwarding (RPF)
Solution

  1. Understanding the Issue:
    Users operating IPsec VPNs on FortiGate might notice that while VPNs are active for a specific host, other hosts on the destination network face communication barriers. Closer inspection often reveals that traffic exits from the IPsec VPN on Azure FortiGate without receiving a corresponding response, attributed to an RPF check failure.

  2. Steps for Diagnosis:

    a. Conduct a Ping Test:

    • Purpose: Check for live connections between source and destination.
    • Instructions:
      1. Use the command: ping [destination host address]
      2. Monitor for timeouts. If present, it indicates a connectivity issue.

    b. Run a Traceroute:

    • Purpose: Identify the path packets take and any potential drops.
    • Instructions:
      1. Input the command: traceroute [destination host address]
      2. Analyze the results. If the path is incomplete, further diagnosis is needed.

    c. Check Traffic Flow:

    • Purpose: Determine if traffic exits the Azure FortiGate via IPsec VPN and reaches the destination.
    • Instructions:
      1. Access VPN logs: diagnose vpn tunnel list
      2. Use packet-capturing tools to view the traffic: diagnose sniffer packet
      3. Inspect results for traffic egressing but not receiving an acknowledgment.

    d. Validate RPF:

    • Purpose: Ensure packets follow the appropriate path.
    • Instructions:
      1. Navigate to routing configurations on the remote end: get router info routing-table all
      2. Check for dropped packets due to RPF checks.

  3. Resolution Procedure:

    • Adjust Route Priority:
      • Purpose: Ensure traffic passes the RPF check.
      • Instructions:
        1. Access the remote end's routing table: get router info routing-table all
        2. Modify the routes: config router static, then edit [route number]
        3. Alternatively  'exchange-ip-addr4' setting can be used on site-to-site tunnels, in case traffic is generated from the remote site's private tunnel IP.
        4. Adjust the priorities to ensure RPF checks are passed.
        5. Confirm traffic flows through the VPN.

Note:

Always back up the configuration before making changes. Follow instructions meticulously to avoid misconfiguration.
2689
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.