Hi,
I have configured two ipsec tunnels between Fortigate_A and Fortigate_B with static routing and then added to sd-wan zone on both sides. I created ipv4 allow rules to allow lan to lan traffic, and this is not working, I mean tunnels are up established but cannot ping from lan to lan. So I addressed Ipsec interfaces, now the strange I can ping from Fortigate_B to Fortigate_A ipsec address but not in opposite. Ping are allowed on ipsec interfaces. How to troubleshoot this?
Solved! Go to Solution.
Thank you all for a help, my problem was today resolved with TAC
in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.
What are your SD-WAN policies on central FW that point to branch?
Why do you only have one VPN tunnel to branch out port 24 and not one out port 23?
Here are all my SD_WAN rules:
From the top to bottom
1.fortiguard out wan1
2.two financial sites out wan1
3.one internal server out wan1
4 - inactive
5.local lans to branch lan out w1-branch-h1 (don't have any hits count)
6.all internet go out to wan2 (port23)
No, I have w1-branch-w1 (mean local wan1, remote wan1) on port 24
and w2-branch-w1 (mean local wan2, remote wan1) on port 23
OK and what do you have at the branch? Do you have two IPSEC tunnels pointing to both port 24 and 23?
Created on 11-27-2022 09:41 AM Edited on 11-27-2022 09:37 PM
branch have only one wan so:
but yes, during creation on phase-1 interface w1-centrala-w1 I pointed to wan24 (wan1 ip), and for tunnel w1-centrala-w2 I have pointed to port23 (wan2 ip)
Could anyone from Fortinet Staff help me with this issue, my problem is not resolved?
Just so you know everyone is trying to help you. We are doing our best. This is a community forum there are no SLA's. If you need immediate or urgent assistance, TAC would serve you best.
With that said, can you please show output of the following from the respective Fortigates:
show system interface w1-branch-w1
show system interface w1-centrala-w1
show system interface w1-centrala-w2
Thank you all for a help, my problem was today resolved with TAC
in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.