Fortinet Community

kjunker · ‎02-08-2012

I am having issues with the new patch release (go figure) in regards to being able to ping devices over an ipsec tunnel and being able to ping devices behind the Fortigate via CLI. I can ping external destinations like google and etc from CLI. Is anyone else experiencing the same issue? I can ping the interface on the other fortigate when the tunnel is up, but can not ping any devices behind it. I am hesitant to move any of my other boxes forward until I know what exactly is going on.

kaslasma · ‎02-08-2012

kjunker, Is traffic other than ICMP capable of traversing the tunnel? Are you saying that you can ping the remote peer' s external or internal interface? Have you run through the diag debug for ike or diag for the flow? Have you tried to grab packet captures from the remote side to ensure traffic is getting through the tunnel? Perhaps portions of the config as it relates to the problem may be relevant. Thanks,

discoveryit · ‎02-08-2012

I can ping the interface on the other fortigate when the tunnel is up, but can not ping any devices behind it. I am hesitant to move any of my other boxes forward until I know what exactly is going on.

Do you have the correct return routes setup in the routing table for both routers (local subnet on the other side)? do you have all or the policy' s allowing pings to traverse the tunnel both ways? Is your phase2 configured for the entire range on the other side or just the Fortigate IP' s ????

FCNSP

MitchK · ‎03-07-2012

Clearly, his problem didn' t exist before he upgraded. Just one more " issue" to be solved in the next upgrade, which will introduce some new " issues" to be solved in the next upgrade, which will...you get the idea. My vendor is beginning to move away from recommending Fortinet, and this is one of the reasons.

Mitch Fortigate-300A 4.00 (MR3 Patch5) Fortigate-200B 4.00 (MR3 Patch5) Fortigate-50B 4.00 (MR3 Patch6) FortiAnalyzer 100C (MR3 Patch1)

Faheem · ‎06-20-2012

I agree with MitckK Problem with Fortinet is that they upgrade firmware to solve couple of issues BUT that upgraded firmware will raise hundreds of other issues. I cant understand WHY!

TMX1 · ‎06-24-2012

this problem with pinging devices behind a VPN isn' t new. It' s happened to me as well on previous versions of the firmware which were only resolved later. I too am getting tired of this and looking to move away from Fortinet hardware.

RichardH · ‎06-25-2012

Are you using a policy based ipsec vpn?

-Richard FGT110Cx2 HA A-P - 4.2.11 FGT 80C,60B,50B x 3,FWF50B - 4.2.11 FGT50B - 4.3.3 FGT40C x 2 - 4.3.7 FAMS

RichardH · ‎06-25-2012

To add to my comment above, I found moving to interface based ipsec vpn was a night and day improvement on the links reliability and helped troubleshoot routing issues as the packets didn' t seem to go into a blackhole (policy based ipsec). I highly recommend, if using policy based ipsec vpn, to spend the time and deploy interface based ipsec vpn before calling foul on fortinet.

-Richard FGT110Cx2 HA A-P - 4.2.11 FGT 80C,60B,50B x 3,FWF50B - 4.2.11 FGT50B - 4.3.3 FGT40C x 2 - 4.3.7 FAMS

Fortinet Community

4.3.5 Issues???