Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Can not ping from Fortigate site to Sophos site in...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can not ping from Fortigate site to Sophos site in IPSec
Hi all, I've followed a guideline of Sophos to configure IPSec between Fortigate and Sophos, everything working well: the VPN is up, the user from Sophos site can ping the IP of Fortigate site, but the user of Fortigate site can not ping IP of Sophos site. the longest way I can do is to tracert to the local IP of Sophos site and reached the default gateway and done, nothing else. I've tried many ways: disable Windows firewall, checking the Sophos policies...and deep dive into google and I recognize there are some people who got the same problem with me and they can fix it in some way but no one posted the solution => I have no clue. can please help me where I was wrong? Thanks a lot. 
Solved! Go to Solution.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?
Did you do any of the testings suggestions provided earlier? Without some basic diagnostics, your guessing. All of the diagnostics is a 1-2-3 steps and confirms vrs "thinking" which is really guessing, imho
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cmd "diag debug flow" should be used here. This does a few items
[ul]
[ul]
[ul]
Since this, a route-base make sure a rote to the destination exist and VN-SL interface.
e.g
config route static
edit 0
set dst . x.x.x.x/xx ( remote-network)
set dev VN-SL
end
Likewise make sure the SophosUTM knows how to route back. Also you can confirm packets by dumping on the VN-SL interface
And finally, do you have ipsec-PH1/PH2 establishment?
e.g /* cli FortiOS
diag vpn ike gateway
diag vpn tunnel list
e.g /* cli
diag sniffer packet VN-SL "icmp"
Give that a try.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:The cmd "diag debug flow" should be used here. This does a few items
[ul]
ensure your policy is match or shows what was match ( policy-ordering is crucial and when other policy are in play and ) [/ul] [ul]
shows the encrypt action[/ul] [ul]
shows routing or lack of[/ul]
Since this, a route-base make sure a rote to the destination exist and VN-SL interface.
e.g
config route static
edit 0
set dst . x.x.x.x/xx ( remote-network)
set dev VN-SL
end
Likewise make sure the SophosUTM knows how to route back. Also you can confirm packets by dumping on the VN-SL interface
And finally, do you have ipsec-PH1/PH2 establishment?
e.g /* cli FortiOS
diag vpn ike gateway
diag vpn tunnel list
e.g /* cli
diag sniffer packet VN-SL "icmp"
Give that a try.
Ken Felix
thanks you for your reply
i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?
is there Sophos configuration problem, or Fortigate ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is better Salesforce Platform or Sophos? Different firms demand different types of IT Management Software. To understand well which service fits your needs, think about reviewing various alternatives feature by feature along with their terms and prices. Similarly, you may get a quick idea of their general performance and customer feedback by checking our smart scoring system.
The results are: Salesforce Platform (9.3) vs. Sophos (8.8) for total quality and usefulness; Salesforce Platform (98%) vs. Sophos (97%) for user satisfaction rating. Analyze their high and weaker points and see which software is a better option for your company. A simple, practical way is to note down the strengths and weaknesses of both solutions side by side and find out which app is better.
Right now, the leading services in our Application Development Software category are: Docker, Salesforce Platform, BitBucket.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?
Did you do any of the testings suggestions provided earlier? Without some basic diagnostics, your guessing. All of the diagnostics is a 1-2-3 steps and confirms vrs "thinking" which is really guessing, imho
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks to all, i finally found the issue and solution.
the configuration of the Fortigate site is correct, nothing needs to change. the issue is Fortigate does not respond to the subnet of the remote site when connecting with Sophos => so from Sophos site must config the VNP as a host-to-host.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem now, i only can ping the Remote Sophos Gateway only .
i tried to change Sophos Connection Type to Host-Host but the connection is down now. is there any thing to change from FortiGate after changing the Sophos connection type?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the commands exe ping-options source you select the interface on the fortigate where VPN tunnel shows in and then with exe ping and the gateway from the Sophos you should then see traffic whether the gateway on the shopos is reachable
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate VM IPSEC ISSUE 174 Views
- fortigate cisco routerdd 129 Views
- Problem with VPN autoconnect 155 Views
- Ask - Use Fortigate - Web... 186 Views
- Site to Site IPSEC between to... 153 Views
Labels
-
FortiGate
8,559 -
FortiClient
1,729 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
549 -
FortiSwitch
467 -
FortiAP
462 -
FortiClient EMS
417 -
6.0
416 -
5.6
362 -
FortiMail
313 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
229 -
FortiWeb
203 -
IPsec
197 -
5.0
196 -
FortiNAC
183 -
FortiGuard
137 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
101 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
88 -
Customer Service
79 -
Wireless Controller
76 -
Firewall policy
75 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
49 -
ZTNA
47 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
43 -
FortiDNS
42 -
DNS
42 -
BGP
40 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
34 -
Authentication
33 -
NAT
33 -
RADIUS
31 -
SSO
31 -
Interface
31 -
FortiConnect
28 -
FortiLink
28 -
FortiWAN
27 -
VDOM
26 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
FortiPAM
22 -
Virtual IP
22 -
SSL SSH inspection
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
Intrusion prevention
9 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiGate-VM
2 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1669 | |
| 1082 | |
| 752 | |
| 446 | |
| 225 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.