Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Created on ‎11-25-2022 08:17 AM

Cannot ping from lan to lan with ipsec sd-wan

Hi,

I have configured two ipsec tunnels between Fortigate_A and Fortigate_B with static routing and then added to sd-wan zone on both sides. I created ipv4 allow rules to allow lan to lan traffic, and this is not working, I mean tunnels are up established but cannot ping from lan to lan. So I addressed Ipsec interfaces, now the strange I can ping from Fortigate_B to Fortigate_A ipsec address but not in opposite. Ping are allowed on ipsec interfaces. How to troubleshoot this?

Labels:
4075
0 Kudos
1 Solution
Tutek
Contributor
In response to grrrrraham

Created on ‎11-28-2022 10:58 AM

Thank you all for a help, my problem was today resolved with TAC

in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.

View solution in original post

3916
0 Kudos
27 REPLIES 27
gfleming
Staff
Staff

Created on ‎11-27-2022 09:20 AM

What are your SD-WAN policies on central FW that point to branch?

 

Why do you only have one VPN tunnel to branch out port 24 and not one out port 23? 

Cheers,
Graham
964
0 Kudos
Tutek
Contributor
In response to gfleming

Created on ‎11-27-2022 09:38 AM

Here are all my SD_WAN rules:

Tutek_0-1669570538124.png

From the top to bottom

1.fortiguard out wan1

2.two financial sites out wan1

3.one internal server out wan1

4 - inactive

5.local lans to branch lan out w1-branch-h1 (don't have any hits count)

6.all internet go out to wan2 (port23)

 

 

957
0 Kudos
Tutek
Contributor

Created on ‎11-27-2022 09:28 AM Edited on ‎11-27-2022 09:29 AM

No, I have w1-branch-w1 (mean local wan1, remote wan1) on port 24

and w2-branch-w1 (mean local wan2, remote wan1) on port 23

Tutek_0-1669570076045.png

 

969
0 Kudos
gfleming
Staff
Staff
In response to Tutek

Created on ‎11-27-2022 09:35 AM

OK and what do you have at the branch? Do you have two IPSEC tunnels pointing to both port 24 and 23?

Cheers,
Graham
962
0 Kudos
Tutek
Contributor
In response to gfleming

Created on ‎11-27-2022 09:41 AM Edited on ‎11-27-2022 09:37 PM

branch have only one wan so:

Tutek_0-1669570879802.png

 

Tutek_1-1669570954061.png

 

but yes, during creation on phase-1 interface w1-centrala-w1 I pointed to wan24 (wan1 ip), and for tunnel w1-centrala-w2 I have pointed to port23 (wan2 ip)


 

956
0 Kudos
Tutek
Contributor
In response to gfleming

Created on ‎11-27-2022 09:34 PM

Could anyone from Fortinet Staff help me with this issue, my problem is not resolved? 

947
0 Kudos
grrrrraham
New Contributor
In response to Tutek

Created on ‎11-28-2022 09:30 AM

Just so you know everyone is trying to help you. We are doing our best. This is a community forum there are no SLA's. If you need immediate or urgent assistance, TAC would serve you best.

 

With that said, can you please show output of the following from the respective Fortigates:

 

show system interface w1-branch-w1

show system interface w1-centrala-w1

show system interface w1-centrala-w2
937
0 Kudos
Tutek
Contributor
In response to grrrrraham

Created on ‎11-28-2022 10:58 AM

Thank you all for a help, my problem was today resolved with TAC

in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.

3917
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.