Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kablage
New Contributor

SIT-Tunnel, traceroute from inside not working properly

Hi folks! Forti OS 5.0.7 (FGT40C), SIT-Tunnel to an tunnelbroker (HE) and everything is working very good. Except traceroute6 from the inside and out: traceroute6 to he.net (2001:470:0:76::2) from 2001:470:xx:xxx::2200, 64 hops max, 16 byte packets 1 2001:470:xx:xxx::254 0.569 ms 0.288 ms 0.232 ms <-- internal IPv6 LAN IP 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 2001:470:0:298::1 119.167 ms 113.866 ms 113.928 ms 8 2001:470:0:270::2 132.132 ms 131.609 ms 139.633 ms 9 2001:470:0:240::1 150.374 ms 149.877 ms 150.385 ms 10 2001:470:0:1b4::1 172.868 ms 174.853 ms 175.129 ms 11 2001:470:0:2f::1 170.109 ms 177.583 ms 172.900 ms 12 2001:470:0:76::2 168.612 ms 168.598 ms 168.624 ms From the " outside" : traceroute ipv6 2001:470:xx:xxx::2200 numeric Tracing the route to IPv6 node 2001:470:xx:xxx::2200 from 1 to 30 hops 1 21 ms <1 ms <1 ms 2001:470:0:31::2 2 27 ms 40 ms 27 ms 2001:470:0:1b4::2 3 71 ms 72 ms 52 ms 2001:470:0:1af::1 4 75 ms 68 ms 74 ms 2001:470:0:298::2 5 138 ms 144 ms 134 ms 2001:470:0:2cf::1 6 160 ms 149 ms 150 ms 2001:470:0:2d0::2 7 171 ms 208 ms 166 ms 2001:470:0:22f::2 8 174 ms 175 ms 175 ms 2001:470:0:11e::2 9 176 ms 172 ms 175 ms 2001:470:xx:xxx::2 <-- SIT-Tunnel, my end 10 182 ms 175 ms 174 ms 2001:470:xx:xxx::2200 <-- Client IPv6 LAN What setting(s) should I look for? The problem is not on the client side as the output is the same on Ubuntu, OS X & Windows. I have tested to set specific TTL values on all interfaces on the fortigate (set ip6-hop-limit 0, 64, 254, 255) If someone has traceroute6 working with HE/SIT-Tunnel, please post your config :)
15 REPLIES 15
emnoc
Esteemed Contributor III

I would start with; diag debug flow filter6 is your friend Then validate your fwpolicy6 & if it' s allowing ICMPv6 or UDP for the intended traceroute6

PCNSE 

NSE 

StrongSwan  

kablage
New Contributor

traceroute6 -n -I he.net traceroute6 to he.net (2001:470:0:76::2) from 2001:470:[IPv6 host LAN]::2200, 64 hops max, 16 byte packets 1 2001:470:[IPv6 GW LAN]::254 0.695 ms 0.428 ms 0.491 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 2001:470:0:298::1 115.629 ms 124.614 ms 114.156 ms 8 2001:470:0:270::2 137.122 ms 131.906 ms 143.138 ms 9 2001:470:0:240::1 145.864 ms 150.382 ms 151.598 ms 10 2001:470:0:1b4::1 165.372 ms 166.846 ms 174.646 ms 11 2001:470:0:2f::1 165.615 ms 227.561 ms 167.863 ms 12 2001:470:0:76::2 168.878 ms 168.631 ms 168.617 ms config firewall policy6 edit 1 set srcintf " any" set dstintf " any" set srcaddr " all" set dstaddr " all" set action accept set schedule " always" set service " ALL" next end diagnose debug console timestamp enable diagnose debug flow show console enable diagnose debug flow filter6 proto 058 diagnose debug flow trace start6 500 diagnose debug enable 2014-05-29 19:07:48 id=13 trace_id=1037 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1037 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1037 msg=" allocate a new session-0000b861" 2014-05-29 19:07:48 id=13 trace_id=1037 msg=" find a route: gw-2001:470::76::2 via HE err 0 flags 01000001" 2014-05-29 19:07:48 id=13 trace_id=1038 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1038 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1038 msg=" allocate a new session-0000b862" 2014-05-29 19:07:48 id=13 trace_id=1038 msg=" find a route: gw-2001:470::76::2 via HE err 0 flags 01000001" 2014-05-29 19:07:48 id=13 trace_id=1039 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1039 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1039 msg=" allocate a new session-0000b863" 2014-05-29 19:07:48 id=13 trace_id=1039 msg=" find a route: gw-2001:470::76::2 via HE err 0 flags 01000001" 2014-05-29 19:07:48 id=13 trace_id=1040 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1040 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:07:48 id=13 trace_id=1040 msg=" allocate a new session-0000b864" 2014-05-29 19:07:48 id=13 trace_id=1040 msg=" find a route: gw-2001:470::76::2 via HE err 0 flags 01000001" 2014-05-29 19:07:48 id=13 trace_id=1040 msg=" Check policy between internal5 -> HE" 2014-05-29 19:07:48 id=13 trace_id=1040 msg=" Allowed by Policy-1:" 2014-05-29 19:07:53 id=12 trace_id=1041 msg=" vd-root received a packet(proto=58, fe80::1c32:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:07:53 id=12 trace_id=1041 msg=" vd-root received a packet(proto=58, fe80::1c32:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:07:53 id=12 trace_id=1041 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:07:53 id=12 trace_id=1042 msg=" vd-root received a packet(proto=58, fe80::1c32:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:07:53 id=12 trace_id=1042 msg=" vd-root received a packet(proto=58, fe80::1c32:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:07:53 id=12 trace_id=1042 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:07:53 id=12 trace_id=1043 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:07:53 id=12 trace_id=1043 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:07:53 id=12 trace_id=1043 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:07:55 id=12 trace_id=1044 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:07:55 id=12 trace_id=1044 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:07:55 id=12 trace_id=1044 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:00 id=12 trace_id=1045 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:08:00 id=12 trace_id=1045 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:08:00 id=12 trace_id=1045 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:00 id=12 trace_id=1046 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:00 id=12 trace_id=1046 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:00 id=12 trace_id=1046 msg=" enter fast path" 2014-05-29 19:08:05 id=13 trace_id=1047 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:05 id=13 trace_id=1047 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:05 id=13 trace_id=1047 msg=" enter fast path" 2014-05-29 19:08:10 id=13 trace_id=1048 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:10 id=13 trace_id=1048 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:10 id=13 trace_id=1048 msg=" enter fast path" 2014-05-29 19:08:15 id=13 trace_id=1049 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:08:15 id=13 trace_id=1049 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:08:15 id=13 trace_id=1049 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:20 id=13 trace_id=1050 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:20 id=13 trace_id=1050 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:20 id=13 trace_id=1050 msg=" enter fast path" 2014-05-29 19:08:25 id=12 trace_id=1051 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:25 id=12 trace_id=1051 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:25 id=12 trace_id=1051 msg=" enter fast path" 2014-05-29 19:08:30 id=13 trace_id=1052 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:30 id=13 trace_id=1052 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:30 id=13 trace_id=1052 msg=" enter fast path" 2014-05-29 19:08:33 id=12 trace_id=1053 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:08:33 id=12 trace_id=1053 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:08:33 id=12 trace_id=1053 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:35 id=12 trace_id=1054 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:08:35 id=12 trace_id=1054 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:08:35 id=12 trace_id=1054 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:38 id=13 trace_id=1055 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:08:38 id=13 trace_id=1055 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:08:38 id=13 trace_id=1055 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:40 id=13 trace_id=1056 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:40 id=13 trace_id=1056 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:40 id=13 trace_id=1056 msg=" enter fast path" 2014-05-29 19:08:45 id=13 trace_id=1057 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:45 id=13 trace_id=1057 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:45 id=13 trace_id=1057 msg=" enter fast path" 2014-05-29 19:08:50 id=13 trace_id=1058 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:50 id=13 trace_id=1058 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:50 id=13 trace_id=1058 msg=" enter fast path" 2014-05-29 19:08:55 id=12 trace_id=1059 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:08:55 id=12 trace_id=1059 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:08:55 id=12 trace_id=1059 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:08:55 id=12 trace_id=1060 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:08:55 id=12 trace_id=1060 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:08:55 id=12 trace_id=1060 msg=" enter fast path" 2014-05-29 19:09:00 id=12 trace_id=1061 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:00 id=12 trace_id=1061 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:00 id=12 trace_id=1061 msg=" enter fast path" 2014-05-29 19:09:05 id=12 trace_id=1062 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:05 id=12 trace_id=1062 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:05 id=12 trace_id=1062 msg=" enter fast path" 2014-05-29 19:09:10 id=13 trace_id=1063 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:10 id=13 trace_id=1063 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:10 id=13 trace_id=1063 msg=" enter fast path" 2014-05-29 19:09:11 id=13 trace_id=1064 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:09:11 id=13 trace_id=1064 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:16384->fe80::209:xxx:xxxx:xxxx:136) from internal5." 2014-05-29 19:09:11 id=13 trace_id=1064 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:09:15 id=13 trace_id=1065 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:09:15 id=13 trace_id=1065 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:09:15 id=13 trace_id=1065 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:09:16 id=13 trace_id=1066 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:09:16 id=13 trace_id=1066 msg=" vd-root received a packet(proto=58, fe80::217:xxxx:xxxx:xxxx:0->fe80::209:xxx:xxxx:xxxx:135) from internal5." 2014-05-29 19:09:16 id=13 trace_id=1066 msg=" find a route: gw-:: via root err 0 flags 80200001" 2014-05-29 19:09:20 id=13 trace_id=1067 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:20 id=13 trace_id=1067 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:20 id=13 trace_id=1067 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1068 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1068 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1068 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1069 msg=" vd-root received a packet(proto=58, 2001:470::298::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:25 id=12 trace_id=1069 msg=" find a route: gw-2001:470:[IPv6 host LAN]::2200 via internal5 err 0 flags 01040001" 2014-05-29 19:09:25 id=12 trace_id=1070 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1070 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1070 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1071 msg=" vd-root received a packet(proto=58, 2001:470::298::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:25 id=12 trace_id=1072 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1072 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1072 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1073 msg=" vd-root received a packet(proto=58, 2001:470::298::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:25 id=12 trace_id=1074 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1074 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1074 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1075 msg=" vd-root received a packet(proto=58, 2001:470::270::2:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:25 id=12 trace_id=1076 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1076 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1076 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1077 msg=" vd-root received a packet(proto=58, 2001:470::270::2:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:25 id=12 trace_id=1078 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1078 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1078 msg=" enter fast path" 2014-05-29 19:09:25 id=12 trace_id=1079 msg=" vd-root received a packet(proto=58, 2001:470::270::2:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:25 id=12 trace_id=1080 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:25 id=12 trace_id=1080 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:25 id=12 trace_id=1080 msg=" enter fast path" 2014-05-29 19:09:26 id=12 trace_id=1081 msg=" vd-root received a packet(proto=58, 2001:470::240::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:26 id=12 trace_id=1082 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:26 id=12 trace_id=1082 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:26 id=12 trace_id=1082 msg=" enter fast path" 2014-05-29 19:09:26 id=12 trace_id=1083 msg=" vd-root received a packet(proto=58, 2001:470::240::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:26 id=12 trace_id=1084 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:26 id=12 trace_id=1084 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:26 id=12 trace_id=1084 msg=" enter fast path" 2014-05-29 19:09:26 id=12 trace_id=1085 msg=" vd-root received a packet(proto=58, 2001:470::240::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:26 id=12 trace_id=1086 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:26 id=12 trace_id=1086 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:26 id=12 trace_id=1086 msg=" enter fast path" 2014-05-29 19:09:26 id=12 trace_id=1087 msg=" vd-root received a packet(proto=58, 2001:470::1b4::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:26 id=12 trace_id=1088 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:26 id=12 trace_id=1088 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:26 id=12 trace_id=1088 msg=" enter fast path" 2014-05-29 19:09:26 id=12 trace_id=1089 msg=" vd-root received a packet(proto=58, 2001:470::1b4::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:26 id=12 trace_id=1090 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:26 id=12 trace_id=1090 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:26 id=12 trace_id=1090 msg=" enter fast path" 2014-05-29 19:09:26 id=12 trace_id=1091 msg=" vd-root received a packet(proto=58, 2001:470::1b4::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:26 id=12 trace_id=1092 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:26 id=12 trace_id=1092 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:26 id=12 trace_id=1092 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1093 msg=" vd-root received a packet(proto=58, 2001:470::2f::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:27 id=12 trace_id=1094 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:27 id=12 trace_id=1094 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:27 id=12 trace_id=1094 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1095 msg=" vd-root received a packet(proto=58, 2001:470::2f::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:27 id=12 trace_id=1096 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:27 id=12 trace_id=1096 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:27 id=12 trace_id=1096 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1097 msg=" vd-root received a packet(proto=58, 2001:470::2f::1:0->2001:470:[IPv6 host LAN]::2200:3) from HE." 2014-05-29 19:09:27 id=12 trace_id=1098 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:27 id=12 trace_id=1098 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:27 id=12 trace_id=1098 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1099 msg=" vd-root received a packet(proto=58, 2001:470::76::2:39480->2001:470:[IPv6 host LAN]::2200:129) from HE." 2014-05-29 19:09:27 id=12 trace_id=1099 msg=" Find an existing session, id-0000b864, reply direction" 2014-05-29 19:09:27 id=12 trace_id=1099 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1100 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:27 id=12 trace_id=1100 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:27 id=12 trace_id=1100 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1101 msg=" vd-root received a packet(proto=58, 2001:470::76::2:39480->2001:470:[IPv6 host LAN]::2200:129) from HE." 2014-05-29 19:09:27 id=12 trace_id=1101 msg=" Find an existing session, id-0000b864, reply direction" 2014-05-29 19:09:27 id=12 trace_id=1101 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1102 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:39480->2001:470::76::2:128) from internal5." 2014-05-29 19:09:27 id=12 trace_id=1102 msg=" Find an existing session, id-0000b864, original direction" 2014-05-29 19:09:27 id=12 trace_id=1102 msg=" enter fast path" 2014-05-29 19:09:27 id=12 trace_id=1103 msg=" vd-root received a packet(proto=58, 2001:470::76::2:39480->2001:470:[IPv6 host LAN]::2200:129) from HE." 2014-05-29 19:09:27 id=12 trace_id=1103 msg=" Find an existing session, id-0000b864, reply direction" 2014-05-29 19:09:27 id=12 trace_id=1103 msg=" enter fast path" 2014-05-29 19:09:34 id=12 trace_id=1104 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:09:34 id=12 trace_id=1104 msg=" vd-root received a packet(proto=58, 2001:470:[IPv6 host LAN]::2200:0->2001:470:[IPv6 GW LAN]::254:135) from internal5." 2014-05-29 19:09:34 id=12 trace_id=1104 msg=" find a route: gw-:: via root err 0 flags 80200001" diagnose debug flow trace stop6 diagnose debug flow filter6 clear diagnose debug reset diagnose debug disable diagnose ipv6 route list vf=0 type=02 protocol=0(unspec) flag=80200001 oif=13(root) dst:::1/128 gwy::: prio=100 pmtu=16436 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2001:470:20::2/128 gwy:2001:470:20::2 prio=0 pmtu=1480 vf=0 type=02 protocol=0(unspec) flag=00300001 oif=13(root) dst:2001:470:[link-net]::/128 gwy::: prio=100 pmtu=16436 vf=0 type=02 protocol=0(unspec) flag=80200001 oif=13(root) dst:2001:470:[link-net]::2/128 gwy::: prio=100 pmtu=16436 vf=0 type=01 protocol=2(kernel) flag=00240001 oif=16(HE) dst:2001:470:[link-net]::/64 gwy::: prio=100 pmtu=1480 vf=0 type=02 protocol=0(unspec) flag=00300001 oif=13(root) dst:2001:470:[routed-lan]::/128 gwy::: prio=100 pmtu=16436 vf=0 type=02 protocol=0(unspec) flag=80200001 oif=13(root) dst:2001:470:[routed-lan]::254/128 gwy::: prio=100 pmtu=16436 vf=0 type=01 protocol=2(kernel) flag=01040001 oif=11(internal5) dst:2001:470:[routed-lan]::200e/128 gwy:2001:470:[routed-lan]::200e prio=0 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=01040001 oif=11(internal5) dst:2001:470:[routed-lan]::2200/128 gwy:2001:470:[routed-lan]::2200 prio=0 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=11(internal5) dst:2001:470:[routed-lan]::/64 prio=100 pmtu=1500 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2001:4860:4860::8888/128 gwy:2001:4860:4860::8888 prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:400f:800::1002/128 gwy:2a00:1450:400f:800::1002 prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:400f:800::1003/128 gwy:2a00:1450:400f:800::1003 prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:400f:800::1007/128 gwy:2a00:1450:400f:800::1007 prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:400f:800::100a/128 gwy:2a00:1450:400f:800::100a prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:400f:800::1018/128 gwy:2a00:1450:400f:800::1018 prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:4010:c04::5f/128 gwy:2a00:1450:4010:c04::5f prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:4010:c04::6d/128 gwy:2a00:1450:4010:c04::6d prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:4010:c08::5b/128 gwy:2a00:1450:4010:c08::5b prio=0 pmtu=1480 vf=0 type=01 protocol=0(unspec) flag=01000001 oif=16(HE) dst:2a00:1450:4010:c08::bc/128 gwy:2a00:1450:4010:c08::bc prio=0 pmtu=1480 vf=0 type=02 protocol=0(unspec) flag=00300001 oif=13(root) dst:fe80::/128 gwy::: prio=100 pmtu=16436 vf=0 type=02 protocol=0(unspec) flag=80200001 oif=13(root) dst:fe80::209:xxx.xxxx.xxxx/128 gwy::: prio=100 pmtu=16436 vf=0 type=07 protocol=3(boot) flag=00200200 oif=13(root) dst:fe80::/10 prio=100 pmtu=16436 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=14(ssl.root) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00240001 oif=16(HE) dst:fe80::/10 gwy::: prio=100 pmtu=1480 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=17(ios-vpn) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=18(palsby-p1) dst:fe80::/10 prio=100 pmtu=1280 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=7(internal1) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=8(internal2) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=9(internal3) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=10(internal4) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=11(internal5) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=15(mesh.root) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=12(modem) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=6(wan1) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=5(wan2) dst:fe80::/10 prio=100 pmtu=1500 vf=0 type=07 protocol=3(boot) flag=00200200 oif=13(root) dst:ff00::/8 prio=100 pmtu=16436 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=14(ssl.root) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=16(HE) dst:ff00::/8 prio=100 pmtu=1480 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=17(ios-vpn) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=18(palsby-p1) dst:ff00::/8 prio=100 pmtu=1280 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=7(internal1) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=8(internal2) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=9(internal3) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=10(internal4) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=11(internal5) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=15(mesh.root) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=12(modem) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=6(wan1) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=2(kernel) flag=00040001 oif=5(wan2) dst:ff00::/8 prio=100 pmtu=1500 vf=0 type=01 protocol=11(zebra) flag=00000001 oif=16(HE) prio=400 pmtu=1480 vf=0 type=07 protocol=0(unspec) flag=00200200 oif=13(root) prio=ffffffff pmtu=0
kablage
New Contributor

Maybe I should add, the above is not my normal firewall rule! config firewall policy6 edit 1 set srcintf " HE" set dstintf " internal5" set srcaddr " all" set dstaddr " n-lan6" set action accept set schedule " always" set service " ALL_ICMP6" next edit 2 set srcintf " internal5" set dstintf " HE" set srcaddr " n-lan6" set dstaddr " all" set action accept set schedule " always" set service " ALL" next end
emnoc
Esteemed Contributor III

Instead of doing the traceroute from the ipv6 client, have you tried from src of the STI tunnel ( ipv6 addr ) execute trace6 -n -s <xx.xx.xx.xx.xxx.xx.xx> <target> The Xs would be your SIt tunnel ipv6 address ( the address in in SIT tunnel set ip6 statement ). If everything is working except the traceroute, I would not worry, maybe the 1st few hops are not set to respond to your client address.

PCNSE 

NSE 

StrongSwan  

kablage
New Contributor

execute tracert6 -n -s 2001:470:[SIT-Tunnel, my end]::2 he.net tracert6: getting ipv6 address for host " he.net" ... tracert6 to he.net (2001:470:0:76::2), 30 hops max, 40/16 byte payload/paddata 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 2001:470:0:298::1 113.844 ms 113.583 ms 121.958 ms 7 2001:470:0:270::2 134.304 ms 135.825 ms 134.433 ms 8 2001:470:0:240::1 146.307 ms 148.324 ms 146.283 ms 9 2001:470:0:1b4::1 173.413 ms 173.143 ms 173.381 ms 10 2001:470:0:2f::1 178.541 ms 175.424 ms 173.544 ms 11 2001:470:0:76::2 174.126 ms 173.769 ms 173.852 ms I have been in contact with the HE support and they say that traceroute6 should work.
kablage
New Contributor

Anyone else have any success stories with their HE tunnel?
ZipTX
New Contributor

Same issue here with the 5.2.2 code.   Replicated on a 20C and a 60D.   This problem does not exist if other (non-fortigate) equipment is used for the sit tunnel.  Support is currently researching the issue in their lab.

kablage
New Contributor

ZipTX wrote:

Same issue here with the 5.2.2 code.   Replicated on a 20C and a 60D.   This problem does not exist if other (non-fortigate) equipment is used for the sit tunnel.  Support is currently researching the issue in their lab.

Thank you for the feedback! I was thinking earlier today if I should update...

 

Please post if you hear anything from the support.

emnoc
Esteemed Contributor III

guys I don't there's any problem but would suspect HE is  dropping all of these low hlim ( ttl in ipv6 lingo ) .So unless you at some level or greater, they don't bother to reply.

 

You can do some thing like this;

( this ipv6 is bound to a ipv6 loopback on my  fgt )

execute tracert6 -s 2001:470:24:ccccccc::1  2001:4860:4860::8844 -f 12  -m 99

tracert6 to 2001:4860:4860::8844 (2001:4860:4860::8844), 99 hops max, 40/16 byte payload/paddata  12  * * *  13  * * *  14  * * *  15  2001:4860:4860::8844 (google-public-dns-b.google.com)  486.804 ms  486.361 ms  486.361 ms  

The above will complete & fwiw ping6 connectivity is good also.

 

 

 

 

PCNSE 

NSE 

StrongSwan