I am having issues with the new patch release (go figure) in regards to being able to ping devices over an ipsec tunnel and being able to ping devices behind the Fortigate via CLI. I can ping external destinations like google and etc from CLI. Is anyone else experiencing the same issue? I can ping the interface on the other fortigate when the tunnel is up, but can not ping any devices behind it. I am hesitant to move any of my other boxes forward until I know what exactly is going on.
Is traffic other than ICMP capable of traversing the tunnel? Are you saying that you can ping the remote peer' s external or internal interface? Have you run through the diag debug for ike or diag for the flow? Have you tried to grab packet captures from the remote side to ensure traffic is getting through the tunnel?
Perhaps portions of the config as it relates to the problem may be relevant.
I can ping the interface on the other fortigate when the tunnel is up, but can not ping any devices behind it. I am hesitant to move any of my other boxes forward until I know what exactly is going on.
Do you have the correct return routes setup in the routing table for both routers (local subnet on the other side)? do you have all or the policy' s allowing pings to traverse the tunnel both ways? Is your phase2 configured for the entire range on the other side or just the Fortigate IP' s ????
Clearly, his problem didn' t exist before he upgraded. Just one more " issue" to be solved in the next upgrade, which will introduce some new " issues" to be solved in the next upgrade, which will...you get the idea.
My vendor is beginning to move away from recommending Fortinet, and this is one of the reasons.
this problem with pinging devices behind a VPN isn' t new. It' s happened to me as well on previous versions of the firmware which were only resolved later.
I too am getting tired of this and looking to move away from Fortinet hardware.
To add to my comment above, I found moving to interface based ipsec vpn was a night and day improvement on the links reliability and helped troubleshoot routing issues as the packets didn' t seem to go into a blackhole (policy based ipsec).
I highly recommend, if using policy based ipsec vpn, to spend the time and deploy interface based ipsec vpn before calling foul on fortinet.
FGT110Cx2 HA A-P - 4.2.11
FGT 80C,60B,50B x 3,FWF50B - 4.2.11
FGT50B - 4.3.3
FGT40C x 2 - 4.3.7
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.