- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot ping from lan to lan with ipsec sd-wan
Hi,
I have configured two ipsec tunnels between Fortigate_A and Fortigate_B with static routing and then added to sd-wan zone on both sides. I created ipv4 allow rules to allow lan to lan traffic, and this is not working, I mean tunnels are up established but cannot ping from lan to lan. So I addressed Ipsec interfaces, now the strange I can ping from Fortigate_B to Fortigate_A ipsec address but not in opposite. Ping are allowed on ipsec interfaces. How to troubleshoot this?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for a help, my problem was today resolved with TAC
in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.
- « Previous
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are your SD-WAN policies on central FW that point to branch?
Why do you only have one VPN tunnel to branch out port 24 and not one out port 23?
Graham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here are all my SD_WAN rules:
From the top to bottom
1.fortiguard out wan1
2.two financial sites out wan1
3.one internal server out wan1
4 - inactive
5.local lans to branch lan out w1-branch-h1 (don't have any hits count)
6.all internet go out to wan2 (port23)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I have w1-branch-w1 (mean local wan1, remote wan1) on port 24
and w2-branch-w1 (mean local wan2, remote wan1) on port 23
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK and what do you have at the branch? Do you have two IPSEC tunnels pointing to both port 24 and 23?
Graham
Created on ‎11-27-2022 09:41 AM Edited on ‎11-27-2022 09:37 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
branch have only one wan so:
but yes, during creation on phase-1 interface w1-centrala-w1 I pointed to wan24 (wan1 ip), and for tunnel w1-centrala-w2 I have pointed to port23 (wan2 ip)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could anyone from Fortinet Staff help me with this issue, my problem is not resolved?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just so you know everyone is trying to help you. We are doing our best. This is a community forum there are no SLA's. If you need immediate or urgent assistance, TAC would serve you best.
With that said, can you please show output of the following from the respective Fortigates:
show system interface w1-branch-w1
show system interface w1-centrala-w1
show system interface w1-centrala-w2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for a help, my problem was today resolved with TAC
in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.

- « Previous
- Next »