Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Anatoli
New Contributor III

Created on ‎06-27-2024 07:23 AM

AWS tunnel issue

Hi, I would want to ask a question on the issue that was raised earlier.

I have two wan lines, I have set up both tunnels on WAN1 I'm not sure if his setup is accurate. Should one tunnel be installed in Wan 1 and the other tunnel in Wan 2?

 

Wan AWS.png


Still, I have one of them tunnelled in shut down. The problem is that the client from the SAP server does not reach an AWS server, but the person from the AWS server reaches the SAP server for my client. Any thoughts?

show system interface "TO AWS 2"

config system interface

edit "TO AWS 2"

set vdom "root"

set ip 169.254.85.6 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.85.5 255.255.255.252

set snmp-index 69

set interface "wan1"

set mtu-override enable

set mtu 1427

diagnose debug enable

FortiGate1 # diagnose debug flow filter daddr 169.254.85.5

FortiGate1 # diagnose debug flow trace start 1

FortiGate1 # id=65308 trace_id=1 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 169.254.85.6:83->169.254.85.5:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=83, seq=888."

id=65308 trace_id=1 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-03871a2d, original direction"

id=65308 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"

id=65308 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"

id=65308 trace_id=1 func=esp_output4 line=896 msg="IPsec encrypt/auth"

id=65308 trace_id=1 func=ipsec_output_finish line=629 msg="send to 91.1X.X.X via intf-wan1"

execute ping 169.254.85.5

PING 169.254.85.5 (169.254.85.5): 56 data bytes

64 bytes from 169.254.85.5: icmp_seq=0 ttl=254 time=35.4 ms

64 bytes from 169.254.85.5: icmp_seq=1 ttl=254 time=35.7 ms

 

AWS _01.png

 

Labels:
244
0 Kudos
1 Solution
DPadula
Staff
Staff

Created on ‎06-27-2024 10:50 PM

Hi Anatoli,

You can have both tunnel on the same WAN1 or have each tunnel on each WAN interface.
The question is, what you are trying to achieve?
Is WAN1 and WAN2 both active or WAN2 is just a backup of WAN1 and take over only when wan1 is down?
I

View solution in original post

199
8 REPLIES 8
Anatoli
New Contributor III

Created on ‎06-27-2024 10:43 PM

Hi

anyone can i help me ?

202
0 Kudos
DPadula
Staff
Staff

Created on ‎06-27-2024 10:50 PM

Hi Anatoli,

You can have both tunnel on the same WAN1 or have each tunnel on each WAN interface.
The question is, what you are trying to achieve?
Is WAN1 and WAN2 both active or WAN2 is just a backup of WAN1 and take over only when wan1 is down?
I

200
Anatoli
New Contributor III

Created on ‎06-27-2024 11:28 PM Edited on ‎06-27-2024 11:34 PM

Hi @DPadula  thanks for your reply .

 

  • Wan 2 is  just a backup take over when wan1 is down .

 

  • The goal is to connect my customer's SAP system to an AWS servers.

AWS servers 10.40.6.0 must be reached using the customer's fortigate IP address of 10.0.0.0.

For instance, the customer cannot reach from SAP server 10.0.0.5 to AWS server 10.40.6.119.

From AWS 10.40.6.119 to SAP server 10..0.0.5 it is Pinging

 

aws.png

191
DPadula
Staff
Staff
In response to Anatoli

Created on ‎06-28-2024 10:30 PM

Because you said that traffic from the server 10.40.6.119 can reach 10.0.0.5 we show that tunnels is up and rule from AWS to SAP is correct. You should check and confirm if you do have a rule from SAP to AWS. The sniffer show the traffic arriving from the SAP server via SAP interface, but we don't see a ICMP echo request out on the tunnel interface. Sounds like missing rule or wrong rule configuration. 
You can use diag debug flow trace to confirm that. 

137
Anatoli
New Contributor III
In response to DPadula

Created on ‎07-01-2024 01:01 PM

Yes it is correct from 10.0.0.5 server lan citrix no ping to 10.40.6.119 server aws  . From 10.40.6.119 to 10.0.0.5 ping is ok 

 

I attach you the test

 

FortiGate1 # diagnose debug flow filter saddr 10.0.0.5

FortiGate1 # diagnose debug flow filter daddr 10.40.6.119

FortiGate1 # diagnose debug flow trace start 100

FortiGate1 # diagnose debug enable

FortiGate1 # execute ping-options source 10.0.0.5

FortiGate1 # execute ping 10.40.6.119
id=65308 trace_id=102 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 10.0.0.5:156->10.40.6.119:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=156, seq=0."
id=65308 trace_id=102 func=init_ip_session_common line=5980 msg="allocate a new session-049ff447, tun_id=0.0.0.0"
id=65308 trace_id=102 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"
id=65308 trace_id=102 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"
id=65308 trace_id=102 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=102 func=ipsec_output_finish line=629 msg="send to X.X.76.41 via intf-wan1"
id=65308 trace_id=103 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 10.0.0.5:156->10.40.6.119:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=156, seq=1."
id=65308 trace_id=103 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-049ff447, original direction"
id=65308 trace_id=103 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"
id=65308 trace_id=103 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"
id=65308 trace_id=103 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=103 func=ipsec_output_finish line=629 msg="send to X.X.76.41 via intf-wan1"
id=65308 trace_id=104 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 10.0.0.5:156->10.40.6.119:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=156, seq=2."
id=65308 trace_id=104 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-049ff447, original direction"
id=65308 trace_id=104 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"
id=65308 trace_id=104 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"
id=65308 trace_id=104 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=104 func=ipsec_output_finish line=629 msg="send to X.X.76.41 via intf-wan1"
id=65308 trace_id=105 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 10.0.0.5:156->10.40.6.119:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=156, seq=3."
id=65308 trace_id=105 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-049ff447, original direction"
id=65308 trace_id=105 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"
id=65308 trace_id=105 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"
id=65308 trace_id=105 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=105 func=ipsec_output_finish line=629 msg="send to X.X.76.41 via intf-wan1"
id=65308 trace_id=106 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 10.0.0.5:156->10.40.6.119:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=156, seq=4."
id=65308 trace_id=106 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-049ff447, original direction"
id=65308 trace_id=106 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"
id=65308 trace_id=106 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"
id=65308 trace_id=106 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=106 func=ipsec_output_finish line=629 msg="send to X.X.76.41 via intf-wan1"
PING 10.40.6.119 (10.40.6.119): 56 data bytes

--- 10.40.6.119 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

33
0 Kudos
DPadula
Staff
Staff
In response to Anatoli

Created on ‎07-01-2024 03:26 PM

Hi Anatoli,

Just a tip, every time that you use the 'diag debug flow' we suggest that you also enable the 'diagnose debug flow show function-name enable'.


Looking into the output collected (id=65308 trace_id=106 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"), clearly the traffic is been sent via TO AWS tunnel, proving that your FGT is configured correctly (firewall policies and routing). The issue seems to be on the other side of the tunnel.

The next step is to check the AWS side when the traffic is originating from the SAP client. 

18
0 Kudos
amrit
Staff
Staff

Created on ‎06-30-2024 09:07 AM

you can use these additional steps to verify the traffic 

1. Verify the routing details on fortigate for the IP 10.40.6.119

"get router info routing-table details 10.40.6.119" -- in the output of this command I expect  the outgoing interface as your IPSec tunnel to AWS

If the route is present and is the best route to 10.40.6.119 then

Verify the policy from the incoming interface to the outgoing tunnel interface. 

To verify the incoming interface you can again use "get router info routing-table details 10.0.0.5". Also make sure the policy should have correct source and destination subnets

 

 

Amritpal Singh
84
Anatoli
New Contributor III
In response to amrit

Created on ‎07-01-2024 09:11 AM

Hi @amrit  so thanks for your reply 

I attach  to you the tester

 

Fortigate get.png

 

policy aws1.pngpolicy aws 2.png

54
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.