Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
barisben
New Contributor

Created on ‎12-03-2024 12:13 AM

Can't Access to the DR Site FW over VXLAN

Hey, we have VXLAN between DC and DR sites. We can access through the same subnet, so we can ping or access to the GUI. On the different subnets we can't access to the DR site FW with the HTTPs,PING or something but we can access to the DC site FW GUI or can ping it.

For example; We have 10.10.10.0/24 and 10.10.20.0/24 subnets. .1 is the VRIPs, .2 is the DC site FW, .3 is the DR site FW IPs. I can't access 10.10.20.3 from the 10.10.10.0/24 subnet but can access to the 10.10.20.2. When I try to ping and sniff from DR site FW it only gets icmp-requests but doesn't send reply packets. MTU sizes the same on both site. How could we solve that?

Labels:
404
0 Kudos
5 REPLIES 5
sjoshi
Staff
Staff

Created on ‎12-03-2024 02:43 AM

Hi barisben.

 

Can you please share the pcap on both nodes

diag sniff packet any 'host x.x.x.x and icmp' 4 0 l >> where x.x.x.x is the dst srv ip

Let us know if this helps.
Salon Raj Joshi
381
0 Kudos
barisben
New Contributor

Created on ‎12-03-2024 11:22 PM

On DC site FW;

2024-12-04 10:20:02.413843 NETWORK-MAN out 10.10.20.15 -> 10.10.10.3: icmp: echo request
2024-12-04 10:20:02.413848 NETWORK-MANvx out 10.10.20.15 -> 10.10.10.3: icmp: echo request
2024-12-04 10:20:03.413874 NETWORK-MAN out 10.10.20.15 -> 10.10.10.3: icmp: echo request
2024-12-04 10:20:03.413876 NETWORK-MANvx out 10.10.20.15 -> 10.10.10.3: icmp: echo request

 

On DR site FW;

2024-12-04 10:20:02.432951 NETWORK-MANvx in 10.10.20.15 -> 10.10.10.2: icmp: echo request
2024-12-04 10:20:02.432953 NETWORK-MAN in 10.10.20.15 -> 10.10.10.2: icmp: echo request
2024-12-04 10:20:03.433021 NETWORK-MANvx in 10.10.20.15 -> 10.10.10.2: icmp: echo request
2024-12-04 10:20:03.433023 NETWORK-MAN in 10.10.20.15 -> 10.10.10.2: icmp: echo request
337
0 Kudos
sjoshi
Staff
Staff
In response to barisben

Created on ‎12-03-2024 11:56 PM

I can see the traffic is reaching the DR site but not going out or not seeing the response back.

 

Run the debug flow

https://docs.fortinet.com/document/fortigate/7.6.0/administration-guide/54688/debugging-the-packet-f...

Let us know if this helps.
Salon Raj Joshi
328
0 Kudos
barisben
New Contributor
In response to sjoshi

Created on ‎12-04-2024 06:23 AM

DR site FW says "msg="reverse path check fail, drop"". So what can I do? Both sites have same subnets, what should I add to static route?

310
0 Kudos
barisben
New Contributor

Created on ‎12-03-2024 11:29 PM

On DC site FW;

2024-12-04 10:28:02.674223 NETWORK-MAN out 10.10.20.15 -> 10.10.10.3: icmp: echo request
2024-12-04 10:28:02.674225 NETWORK-MANvx out 10.10.20.15 -> 10.10.10.3: icmp: echo request

On DR site FW;

2024-12-04 10:28:02.696622 NETWORK-MANvx in 10.10.20.15 -> 10.10.10.3: icmp: echo request
2024-12-04 10:28:02.696623 NETWORK-MAN in 10.10.20.15 -> 10.10.10.3: icmp: echo request

341
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.