Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

Cannot ping from lan to lan with ipsec sd-wan

Hi,

I have configured two ipsec tunnels between Fortigate_A and Fortigate_B with static routing and then added to sd-wan zone on both sides. I created ipv4 allow rules to allow lan to lan traffic, and this is not working, I mean tunnels are up established but cannot ping from lan to lan. So I addressed Ipsec interfaces, now the strange I can ping from Fortigate_B to Fortigate_A ipsec address but not in opposite. Ping are allowed on ipsec interfaces. How to troubleshoot this?

1 Solution
Tutek

Thank you all for a help, my problem was today resolved with TAC

in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.

View solution in original post

27 REPLIES 27
msolanki
Staff
Staff

Hi Tutek,

Its look like routing issue .You need to check if you have configured the static route towards tunnel interface correctly. Also check route table to destination IP to get to know the routes are learning or not.

please follow below KB and verify your config  

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-VPN-Site-to-Site-between/...

 

If you sniff the IP then it will help to see the traffic leaving from one site and if its reaching other side or not .

 

Thanks 

Madhav

 

 

Tutek
Contributor

when I do ping from lan pc on Fortigate_A then I see that this is going to internet:

 

 

 

FGT # diag sniffer packet any 'host 10.17.x.x' 1
interfaces=[any]
filters=[host 10.17.x.x]
1.279258 10.x.x.x. -> 10.17.x.x: icmp: echo request
1.279297 205.x.x.x -> 10.17.x.x: icmp: echo request
2.292788 10.x.x.x. -> 10.17.x.x: icmp: echo request
2.292824 205.x.x.x -> 10.17.x.x: icmp: echo request

 

 

 

But in static routes I have created rule for network 10.17.x.x with gateway sd-wan zone (two ipsec tunnels)

Tutek

ok I made small progress:
-ping from fortigate_A console to remote lan without ping-options - > failed
in this option I see that echo request coming from default mgmt interface that I do not use:
37.105667 Branch out 192.168.1.99 -> 10.17.X.X: icmp: echo request
-ping from fortigate_A console to remote lan with source as lan gateway IP --> success
-ping from pc lan Fortigate_A to remote lan - > failed
in this situation in sniffer I see to echo request is going to internet:
6.617890 port23 out 205.x.x.x -> 10.17.x.x icmp: echo request
gfleming

Ping from Fortigate will not rely on FW Policy or SD-WAN rules. Ping from PC behind FGT will rely on FW Policy and SD-WAN rules. Please check your FW Policy allowing the traffic and please check SD-WAN rules/routing for PC traffic.

 

Cheers,
Graham
Tutek
Contributor

this is not ipv4 polic problem but routing, when I ping from pc remote lan then I get on Windows CMD console "Destination net unreachable." because these echo request are going to internet:

 

 

 

 

 

GT # diagnose sniffer packet any "host 10.17.x.x" 4
interfaces=[any]
filters=[host 10.17.x.x]
5.041522 vlan10 in 10.10.x.x -> 10.17.x.x: icmp: echo request
5.041640 port23 out 205.x.x.x -> 10.17.x.x: icmp: echo request
5.044369 port23 in 10.17.x.x -> 205.x.x.x: icmp: echo reply

 

 

 

 

 

but my static routing to remote lan is configured:

 

 

edit 13

set dst 10.17.x.x 255.255.240.0

set device "W1-Branch-W1"

next

edit 18

set dst 10.17.x.x 255.255.240.0

set device "W2-Branch-W1"

next

 

 

 

 

FGT # get router info routing-table all
.
.
.
S 10.17.x.x/20 [10/0] is directly connected, W1-Branch-W1
[10/0] is directly connected, W2-Branch-W1

 

 

Responsible sd-wan rule for this traffic is at the top, but even don't get any hit counts (Fortigate do not use this sd-wan rule but force this traffic to internet)

Tutek_1-1669407168076.png

 

 

gfleming
Staff
Staff

Can you please show what the destination address object/IP subnet is for the SD-WAN rule #8 is?

Please also confirm actual IP address of remote PC and actual desitnation subnet in static route entry.

Please also show output of "show vpn ipsec phase1-interface W1-Branch-W1"

 

And lastly try the following and then ping the remote LAN and copy the output:

 

diag debug ena
diag debug flow filter daddr 10.17.x.x (Actual IP of remote LAN)
diag debug flow filter saddr 10.10.X.X (actual IP of PC on this side)
diag debug flow filter proto 1
diag debug flow trace start 5
Cheers,
Graham
Tutek
Contributor

Thanks gfleming I'm appreciate your help I'm stuck with this config, the same situation is on brach (it push traffic destined to ipsec tunnels to internet), now responding:

1.

FGT (sdwan) # config service

FGT (service) # show
config service
edit 8
set name "to_branch"
set dst "branch_subnet" (10.17.x.x/20 - all summarized subnet)
set src "all"
set priority-members 3 4 (these are ipsec tunnels w1-branch-w1, w2-branch-w1)
next

 

2.I have couple subnets on branch, lan with pc is with 10.17.2.x /24

Static route have for sure as destination two ipsec virtual interfaces:

Tutek_0-1669449478256.png

as you can see I have other ipsec tunnels that are working but they are not in sd-wan, and they are configured in tunnel mode, so I have network configure in phase-2 selectors. These two ipsec that are member of sd-wan are in interface ipsec mode with zeroes in selectors.

3. ipsec phase-1 output:

 

 

FGT (W1-Branch-W1) # get
name                : W1-Branch-W1
type                : static 
interface           : port24 
ip-version          : 4 
ike-version         : 2 
local-gw            : 0.0.0.0
keylife             : 86400
authmethod          : psk 
authmethod-remote   : 
peertype            : any 
net-device          : disable 
passive-mode        : disable 
exchange-interface-ip: disable 
aggregate-member    : disable 
mode-cfg            : disable 
proposal            : aes256-sha256 
localid             : 
localid-type        : auto 
auto-negotiate      : enable 
negotiate-timeout   : 30
fragmentation       : enable 
ip-fragmentation    : post-encapsulation 
dpd                 : on-idle 
forticlient-enforcement: disable 
comments            : 
npu-offload         : enable 
dhgrp               : 19 
suite-b             : disable 
eap                 : disable 
ppk                 : disable 
wizard-type         : custom 
reauth              : disable 
idle-timeout        : disable 
ha-sync-esp-seqno   : enable 
inbound-dscp-copy   : disable 
auto-discovery-sender: disable 
auto-discovery-receiver: disable 
auto-discovery-forwarder: disable 
encapsulation       : none 
nattraversal        : enable 
fragmentation-mtu   : 1200
childless-ike       : disable 
rekey               : enable 
fec-egress          : disable 
fec-ingress         : disable 
network-overlay     : disable 
remote-gw           : wan-gateway-of-branch
monitor             : 
tunnel-search       : selectors 
add-gw-route        : disable 
psksecret           : * 
keepalive           : 10
dpd-retrycount      : 5
dpd-retryinterval   : 120

 

 

 

4. packet flow when ping to branch lan pc

FGT # id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.10.x.x:5->10.17.2.x:2048) from vlan10. type=8, code=0, id=5, seq=27807."
id=20085 trace_id=1 func=init_ip_session_common line=5995 msg="allocate a new session-001e76e5"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=2130837510: to 10.17.2.x via ifindex-29"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-185.x.x.x via port23"
id=20085 trace_id=1 func=fw_forward_handler line=811 msg="Allowed by Policy-87: SNAT"
id=20085 trace_id=1 func=ids_receive line=298 msg="send to ips"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3519 msg="SNAT 10.10.x.x->185.x.x.x:60421"
id=20085 trace_id=1 func=ipd_post_route_handler line=490 msg="out port23 vwl_zone_id 1, state2 0x4001, quality 0.

 as you see it outgoing my port23 which is wan.

gfleming

You never answered what is on port 24.

Also can you show output of "diagnose netlink device list | grep 29"

Cheers,
Graham
Tutek

 

 

//errata port24 is wan1 and port23 is wan2 ....sorry

 

 

 

FGT # diagnose netlink device list | grep 29
vlan17: 77572732  234927    0    0    0     0          0         0   942906   20483    0    0    0     0       0          0
vlan12: 38872711  272192    0    0    0     0          0         0 29327341  285688    0    0    0     0       0          0
 port1: 89223716729 91406007    0    0    0     0          0         0 92973677296 139126928    0    0    0     0       0          0
Cieplice_ipsec:   66134     341    0    0    0     0          0         0    35341     129    0    0    0     0       0          0
vsys_fgfm: 30872007   29164    0    0    0     0          0         0 30872007   29164    0    0    0     0       0          0
ssl.root: 343996851 2536744    0    0    0     0          0         0 1858266770 2902900    0 3730    0     0       0          0

 

 

Labels
Top Kudoed Authors