AWS tunnel issue

Anatoli · ‎06-27-2024

Hi, I would want to ask a question on the issue that was raised earlier.

I have two wan lines, I have set up both tunnels on WAN1 I'm not sure if his setup is accurate. Should one tunnel be installed in Wan 1 and the other tunnel in Wan 2?

Still, I have one of them tunnelled in shut down. The problem is that the client from the SAP server does not reach an AWS server, but the person from the AWS server reaches the SAP server for my client. Any thoughts?

show system interface "TO AWS 2"

config system interface

edit "TO AWS 2"

set vdom "root"

set ip 169.254.85.6 255.255.255.255

set allowaccess ping

set type tunnel

set tcp-mss 1379

set remote-ip 169.254.85.5 255.255.255.252

set snmp-index 69

set interface "wan1"

set mtu-override enable

set mtu 1427

diagnose debug enable

FortiGate1 # diagnose debug flow filter daddr 169.254.85.5

FortiGate1 # diagnose debug flow trace start 1

FortiGate1 # id=65308 trace_id=1 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=1, 169.254.85.6:83->169.254.85.5:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=83, seq=888."

id=65308 trace_id=1 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-03871a2d, original direction"

id=65308 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface TO AWS 2, tun_id=0.0.0.0"

id=65308 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel TO AWS 2 vrf 0"

id=65308 trace_id=1 func=esp_output4 line=896 msg="IPsec encrypt/auth"

id=65308 trace_id=1 func=ipsec_output_finish line=629 msg="send to 91.1X.X.X via intf-wan1"

execute ping 169.254.85.5

PING 169.254.85.5 (169.254.85.5): 56 data bytes

64 bytes from 169.254.85.5: icmp_seq=0 ttl=254 time=35.4 ms

64 bytes from 169.254.85.5: icmp_seq=1 ttl=254 time=35.7 ms

DPadula · ‎06-27-2024

Hi Anatoli,

You can have both tunnel on the same WAN1 or have each tunnel on each WAN interface.
The question is, what you are trying to achieve?
Is WAN1 and WAN2 both active or WAN2 is just a backup of WAN1 and take over only when wan1 is down?
I

View solution in original post

Anatoli · ‎06-27-2024

Hi

anyone can i help me ?

DPadula · ‎06-27-2024

Hi Anatoli,

You can have both tunnel on the same WAN1 or have each tunnel on each WAN interface.
The question is, what you are trying to achieve?
Is WAN1 and WAN2 both active or WAN2 is just a backup of WAN1 and take over only when wan1 is down?
I

Anatoli · ‎06-27-2024

Hi @DPadula thanks for your reply .

Wan 2 is just a backup take over when wan1 is down .

The goal is to connect my customer's SAP system to an AWS servers.

AWS servers 10.40.6.0 must be reached using the customer's fortigate IP address of 10.0.0.0.

For instance, the customer cannot reach from SAP server 10.0.0.5 to AWS server 10.40.6.119.

From AWS 10.40.6.119 to SAP server 10..0.0.5 it is Pinging

DPadula · ‎06-28-2024

Because you said that traffic from the server 10.40.6.119 can reach 10.0.0.5 we show that tunnels is up and rule from AWS to SAP is correct. You should check and confirm if you do have a rule from SAP to AWS. The sniffer show the traffic arriving from the SAP server via SAP interface, but we don't see a ICMP echo request out on the tunnel interface. Sounds like missing rule or wrong rule configuration.
You can use diag debug flow trace to confirm that.