Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BeerAdmin
New Contributor

Multisite traffic over IPSEC VPN Issue.

I've got a scenario where I can't seem to get traffic between two sites, to route to a third site over an IPSEC VPN.

 

Here's the Setup

 

Site A Fortigate (remote site) --private WAN connection--Site B Fortigate (Primary Site)--IPSEC VPN--Site C (subsidiary site) Palo Alto 

 

I have an IPSEC tunnel setup between Site B and Site C with 2 Phase 2 selectors one for a subnet at Site B, which is working, and one for a subnet at site A which is not working.

 

Testing has produced the following results:

Tracert from Site A to Site C, stops at the Private WAN interface on the Fortigate at site B


Starting a ping from Site A to Site C:

Packet capture on the Site A Fortigate  looking for traffic to Site C shows packets sent but not received

Packet capture on the Site B Fortigate looking for traffic to Site C shows packets sent but not received

 

Policies on both Site A and B Fortigates show traffic.

 

I'm at a loss as to where to go with troubleshooting. Policy lookups at Site A show the traffic is allowed, the same for Site B. I don't have access to the Palo Alto at Site C, as it's a subsidiary. 

2 REPLIES 2
BeerAdmin
New Contributor

Was going crazy. Turns out the admin had forgotten to put in a static route to the subnet at Site A.

ntaneja
Staff
Staff

Hi Beeradmin

 

Great that you found and fix the issue.

Below is the link you can keep handy for IPSEC troubleshooting in case you need anytime in future

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955

 

Thanks