Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pinzgauner
New Contributor

Fortigate resets VPN Tunnel connection

I do have an issue with a vpn tunnel were I need to do SNAT using a VIP (10.251.106.16 -> 10.49.15.73). The SYN packet is traversing the tunnel and I do get a SYN ACK back but my fortigate 60D (running v5.2.6,build711 (GA)) for some reson is reseting the connection generating a RST "from local". Any idea what is causing the Fortigate to reply with RST? Opiste direction is working fine (Gateway is some Cisco device).

 

Thanks! 1197.678400 internal1 in 10.49.15.73.54397 -> 10.251.106.16.9100: syn 1189762794 1197.678586 Tunnel out 10.49.15.73.54397 -> 10.49.146.86.9100: syn 1189762794 1197.720780 Tunnel in 10.49.146.86.9100 -> 10.49.15.73.54397: syn 1944898224 ack 1189762795 1197.720905 Tunnel out 10.49.15.73.54397 -> 10.49.146.86.9100: rst 1189762795 id=20085 trace_id=302 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 10.49.146.86:9100->10.49.15.73:55573) from Tunnel. flag [S.], seq 3383165015, ack 1693452540, win 8192" id=20085 trace_id=302 func=resolve_ip_tuple_fast line=4432 msg="Find an existing session, id-00005e26, reply direction" id=20085 trace_id=303 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 10.49.15.73:55573->10.49.146.86:9100) from local. flag , seq 1693452540, ack 0, win 0" id=20085 trace_id=303 func=ipsecdev_hard_start_xmit line=121 msg="enter IPsec interface-Tunnel"

3 REPLIES 3
NotMine
Contributor

Hello,

 

How did you establish that FGT is resetting the connection? I don't see it in the trace log.

 

Did this configuration work before? If yes, has something changed in your environment?

 

Cheers,

Slavko

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
support12
New Contributor III

Exactly This is a host 10.49.15.73,, that ip is not the fortigate.

pinzgauner

Hi Slavko,

 

I don't see the reset packet at another fortigate that is before this one (I only see the initial SYN here). Also log show RST packet has been created "from local":

 

id=20085 trace_id=303 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=6, 10.49.15.73:55573->10.49.146.86:9100) from local. flag , seq 1693452540, ack 0, win 0"

 

Any idea why?

 

thanks!

Andreas

Labels
Top Kudoed Authors