Hi,
I have configured two ipsec tunnels between Fortigate_A and Fortigate_B with static routing and then added to sd-wan zone on both sides. I created ipv4 allow rules to allow lan to lan traffic, and this is not working, I mean tunnels are up established but cannot ping from lan to lan. So I addressed Ipsec interfaces, now the strange I can ping from Fortigate_B to Fortigate_A ipsec address but not in opposite. Ping are allowed on ipsec interfaces. How to troubleshoot this?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank you all for a help, my problem was today resolved with TAC
in short I had performance sla configured for "All sdwan members" and therefore ipsec tunnels were also there, this performance sla checked google servers - so ipsec tunnels were down, and because of that I had no any hits in sd-wan rules regarding this ipsec traffic.
Hi Tutek,
Its look like routing issue .You need to check if you have configured the static route towards tunnel interface correctly. Also check route table to destination IP to get to know the routes are learning or not.
please follow below KB and verify your config
If you sniff the IP then it will help to see the traffic leaving from one site and if its reaching other side or not .
Thanks
Madhav
when I do ping from lan pc on Fortigate_A then I see that this is going to internet:
FGT # diag sniffer packet any 'host 10.17.x.x' 1
interfaces=[any]
filters=[host 10.17.x.x]
1.279258 10.x.x.x. -> 10.17.x.x: icmp: echo request
1.279297 205.x.x.x -> 10.17.x.x: icmp: echo request
2.292788 10.x.x.x. -> 10.17.x.x: icmp: echo request
2.292824 205.x.x.x -> 10.17.x.x: icmp: echo request
But in static routes I have created rule for network 10.17.x.x with gateway sd-wan zone (two ipsec tunnels)
Created on 11-25-2022 09:48 AM Edited on 11-25-2022 10:06 AM
Ping from Fortigate will not rely on FW Policy or SD-WAN rules. Ping from PC behind FGT will rely on FW Policy and SD-WAN rules. Please check your FW Policy allowing the traffic and please check SD-WAN rules/routing for PC traffic.
this is not ipv4 polic problem but routing, when I ping from pc remote lan then I get on Windows CMD console "Destination net unreachable." because these echo request are going to internet:
GT # diagnose sniffer packet any "host 10.17.x.x" 4
interfaces=[any]
filters=[host 10.17.x.x]
5.041522 vlan10 in 10.10.x.x -> 10.17.x.x: icmp: echo request
5.041640 port23 out 205.x.x.x -> 10.17.x.x: icmp: echo request
5.044369 port23 in 10.17.x.x -> 205.x.x.x: icmp: echo reply
but my static routing to remote lan is configured:
edit 13
set dst 10.17.x.x 255.255.240.0
set device "W1-Branch-W1"
next
edit 18
set dst 10.17.x.x 255.255.240.0
set device "W2-Branch-W1"
next
FGT # get router info routing-table all
.
.
.
S 10.17.x.x/20 [10/0] is directly connected, W1-Branch-W1
[10/0] is directly connected, W2-Branch-W1
Responsible sd-wan rule for this traffic is at the top, but even don't get any hit counts (Fortigate do not use this sd-wan rule but force this traffic to internet)
Can you please show what the destination address object/IP subnet is for the SD-WAN rule #8 is?
Please also confirm actual IP address of remote PC and actual desitnation subnet in static route entry.
Please also show output of "show vpn ipsec phase1-interface W1-Branch-W1"
And lastly try the following and then ping the remote LAN and copy the output:
diag debug ena
diag debug flow filter daddr 10.17.x.x (Actual IP of remote LAN)
diag debug flow filter saddr 10.10.X.X (actual IP of PC on this side)
diag debug flow filter proto 1
diag debug flow trace start 5
Thanks gfleming I'm appreciate your help I'm stuck with this config, the same situation is on brach (it push traffic destined to ipsec tunnels to internet), now responding:
1.
FGT (sdwan) # config service
FGT (service) # show
config service
edit 8
set name "to_branch"
set dst "branch_subnet" (10.17.x.x/20 - all summarized subnet)
set src "all"
set priority-members 3 4 (these are ipsec tunnels w1-branch-w1, w2-branch-w1)
next
2.I have couple subnets on branch, lan with pc is with 10.17.2.x /24
Static route have for sure as destination two ipsec virtual interfaces:
as you can see I have other ipsec tunnels that are working but they are not in sd-wan, and they are configured in tunnel mode, so I have network configure in phase-2 selectors. These two ipsec that are member of sd-wan are in interface ipsec mode with zeroes in selectors.
3. ipsec phase-1 output:
FGT (W1-Branch-W1) # get
name : W1-Branch-W1
type : static
interface : port24
ip-version : 4
ike-version : 2
local-gw : 0.0.0.0
keylife : 86400
authmethod : psk
authmethod-remote :
peertype : any
net-device : disable
passive-mode : disable
exchange-interface-ip: disable
aggregate-member : disable
mode-cfg : disable
proposal : aes256-sha256
localid :
localid-type : auto
auto-negotiate : enable
negotiate-timeout : 30
fragmentation : enable
ip-fragmentation : post-encapsulation
dpd : on-idle
forticlient-enforcement: disable
comments :
npu-offload : enable
dhgrp : 19
suite-b : disable
eap : disable
ppk : disable
wizard-type : custom
reauth : disable
idle-timeout : disable
ha-sync-esp-seqno : enable
inbound-dscp-copy : disable
auto-discovery-sender: disable
auto-discovery-receiver: disable
auto-discovery-forwarder: disable
encapsulation : none
nattraversal : enable
fragmentation-mtu : 1200
childless-ike : disable
rekey : enable
fec-egress : disable
fec-ingress : disable
network-overlay : disable
remote-gw : wan-gateway-of-branch
monitor :
tunnel-search : selectors
add-gw-route : disable
psksecret : *
keepalive : 10
dpd-retrycount : 5
dpd-retryinterval : 120
4. packet flow when ping to branch lan pc
FGT # id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.10.x.x:5->10.17.2.x:2048) from vlan10. type=8, code=0, id=5, seq=27807."
id=20085 trace_id=1 func=init_ip_session_common line=5995 msg="allocate a new session-001e76e5"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2589 msg="Match policy routing id=2130837510: to 10.17.2.x via ifindex-29"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-185.x.x.x via port23"
id=20085 trace_id=1 func=fw_forward_handler line=811 msg="Allowed by Policy-87: SNAT"
id=20085 trace_id=1 func=ids_receive line=298 msg="send to ips"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3519 msg="SNAT 10.10.x.x->185.x.x.x:60421"
id=20085 trace_id=1 func=ipd_post_route_handler line=490 msg="out port23 vwl_zone_id 1, state2 0x4001, quality 0.
as you see it outgoing my port23 which is wan.
You never answered what is on port 24.
Also can you show output of "diagnose netlink device list | grep 29"
Created on 11-27-2022 08:23 AM Edited on 11-27-2022 09:31 AM
//errata port24 is wan1 and port23 is wan2 ....sorry
FGT # diagnose netlink device list | grep 29
vlan17: 77572732 234927 0 0 0 0 0 0 942906 20483 0 0 0 0 0 0
vlan12: 38872711 272192 0 0 0 0 0 0 29327341 285688 0 0 0 0 0 0
port1: 89223716729 91406007 0 0 0 0 0 0 92973677296 139126928 0 0 0 0 0 0
Cieplice_ipsec: 66134 341 0 0 0 0 0 0 35341 129 0 0 0 0 0 0
vsys_fgfm: 30872007 29164 0 0 0 0 0 0 30872007 29164 0 0 0 0 0 0
ssl.root: 343996851 2536744 0 0 0 0 0 0 1858266770 2902900 0 3730 0 0 0 0
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.