Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SAMALY1
New Contributor II

Created on ‎04-14-2024 08:01 PM

Assistance Needed: Routing Issue with FortiGate Firewall in ESXi Environment

Dear Team,


I am reaching out to seek assistance regarding a routing issue I am experiencing in our network environment.

Currently, we have a setup where a bare-metal machine at Site A is directly connected to a static LAN, with traffic being routed through a firewall port to Site B via a point-to-point (P2P) connection established using an IPsec tunnel.

All VPN users connect to Site A using an IPsec VPN and send traffic to the IP address of Site A, which is 10.10.10.10. This traffic is then forwarded to Site B. Conversely, traffic from Site B is routed back to Site A in the same manner.

However, we recently migrated our infrastructure to an ESXi host environment. In this setup, the ESXi host has one physical LAN card connected to the firewall port. Virtual machines on the ESXi host are linked to this particular card, with the IP address 10.10.10.10 assigned to both the ESXi host's physical card and the virtual machine.

While traffic flow between Site A and Site B is functioning correctly, we have encountered an issue where VPN users connected to Site A are unable to access any web services or receive traffic from Site A.

After conducting preliminary investigations, we suspect that this issue may be related to either a policy update issue or a static routing issue within our FortiGate firewall.

Here are some key details regarding our setup:

  • ESXi Host Local IP: 10.10.1.81

Would greatly appreciate your guidance on how to resolve this routing issue. Specifically, would like assistance in reviewing and updating firewall policies as well as ensuring that static routing is configured correctly.


Any insights or recommendations you can provide to help us troubleshoot and resolve this issue would be highly appreciated.

Thank you for your attention to this matter.

Please let us know if you require any additional information from our end.

Best regards,

SAM

Labels:
393
0 Kudos
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎04-14-2024 11:58 PM

Hi @SAMALY1 

Here are some points to check:

  • Check if your VMs can ping the gateway which is on the FortiGate
  • Check if the default gateway is correctly configured on your VMs
  • Check if your IPsec phase2 selectors include the source and destination subnets on both FortiGates
  • Check if your firewall policies on both FortiGates allow the right source subnets to reach the right destination subnets, through the right interfaces
AEK
AEK
362
SAMALY1
New Contributor II
In response to AEK

Created on ‎04-15-2024 01:04 AM

  • Check whether your VMs can successfully ping the gateway located on the FortiGate. (Answer) Ping mode is off (Site A can easily access Site B services) No issues.
  • Verify if the default gateway is correctly configured on your VMs. (Answer) (Site A can easily access Site B services) ESXi Host vmkernel > static IP is the same as VM Static IP (10.10.10.10).
  •  
  • Ensure that your IPsec phase 2 selectors include the source and destination subnets on both FortiGates.
  • On physical Machines (No issues Everything Work Fine).

    Confirm if your firewall policies on both FortiGates allow the appropriate source subnets to reach the correct destination subnets through the proper interfaces.
  • On physical Machines (No issues Everything Work Fine).
  •  
  • My interpretation is that the ESXi host is not allowing VPN user traffic to bypass to the Virtual Machine due to identical IP addresses (VMkernel > IP is 10.10.10.10) (VM adapter Static IP 10.10.10.10). Additionally, when VPN users access 10.10.10.10, they are showing a hit count on IP 10.10.1.81, the ESXi host local IP, which is allowed in the policy. However, despite this allowance, VPN users are unable to access anything from their side.

    If VMkernel Ip is changed to (10.10.10.11) then Site A and Site B face issue in communication (link not stable)

 

351
SAMALY1
New Contributor II
In response to SAMALY1

Created on ‎04-15-2024 01:38 AM

Baremetal.png

346
AEK
SuperUser
SuperUser
In response to SAMALY1

Created on ‎04-15-2024 03:39 AM

If I understand well you have an IP conflict, right? (10.10.10.10) for both VMkernel and VM adapter)

If so then you can expect such behavior.

AEK
AEK
313
0 Kudos
SAMALY1
New Contributor II
In response to AEK

Created on ‎04-15-2024 11:25 AM

i tried changing IP of VMkernel and VM adapter (not that much difference)

 

 

283
0 Kudos
SAMALY1
New Contributor II
In response to SAMALY1

Created on ‎04-15-2024 11:26 AM

no bytes receivedno bytes received

 

280
0 Kudos
SAMALY1
New Contributor II
In response to SAMALY1

Created on ‎04-15-2024 11:27 AM

Capture.PNG

 

279
0 Kudos
SAMALY1
New Contributor II

Created on ‎04-15-2024 11:32 AM

VMkernel and VM adapter ip changes now after few second Site A Server easily accesing Site B Service but after few second if stopped working then again it start workingVMkernel and VM adapter ip changes now after few second Site A Server easily accesing Site B Service but after few second if stopped working then again it start working

 

278
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.