Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
salon442
New Contributor

Issue in traffic flow in IPsec L3 VPN even when VPN is UP

We are facing traffic flow issue in IPSec VPN.VPN tunnel is up but we are facing traffic flow issue. Remote side needs to reach local side server so whenever remote side initiate TCP connection, we observe sync packet coming out from VPN tunnel from remote side and we receive sync packet from vpn tunnel in incoming direction. Local side is able to sent sync-ack packet towards remote side from vpn tunnel but the sync-ack packet is not received in remote side FW due to which they are not able to sent ack packet which disallow tcp connection. I have attached some log for your reference. For more information, NAT-T is disable , PFS is disable, auto-negotiate and auto-keep alive is also disable in VPN settings Please understand the traffic flow for your reference In remote side(Cisco ASA):- VPN TUNNEL:- sync packet sent In local side (FGT 500E):- VPN tunnel:- sync packet received VPN tunnel:- sync-ack sent The sync-ack packet which is sent from local side does not reach at remote side due to which TCP three way handshake is incomplete.

2 REPLIES 2
abarushka
Staff
Staff

Hello,

 

As far as I understand SYN ACK packet is lost between FortiGate and Cisco ASA. In case I understand the scenario correctly you may consider to decrypt ESP packets sniffed on ISP side following the instructions below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Decrypt-ESP-packets/ta-p/198431?externalID...

Toshi_Esumi
Esteemed Contributor II

Or, the remote side might not be receiving any ESP packets at all although it can send them out.

I would suggest just sniff packets at your ASA. Then if no ESP coming in while your FGT is sending them, it's time to call the ISP on the remote end.

 

Toshi