Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chocolateeater
New Contributor II

Created on ‎12-04-2024 12:08 AM

Cannot ping interface IP from AWS VPN

Hi, all.

 

I cannot ping a local interface IP on the Fortigate from a AWS host, connected through a VPN tunnel. I can ping the interface using a dial-up (FortiClient). It goes like this:

 

From PC connected through FortiClient (IP is 10.10.1.2):

Pinging 192.168.4.1 with 32 bytes of data:
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255
Reply from 192.168.4.1: bytes=32 time=1ms TTL=255

 

From linux host in AWS:

PING 192.168.4.1 (192.168.4.1) 56(84) bytes of data.
(zzzzz)
--- 192.168.4.1 ping statistics ---
22 packets transmitted, 0 received, 100% packet loss, time 21481ms

 

To a host on the interface subnet, from linux host in AWS:

PING 192.168.4.13 (192.168.4.13) 56(84) bytes of data.
64 bytes from 192.168.4.13: icmp_seq=1 ttl=127 time=21.1 ms
64 bytes from 192.168.4.13: icmp_seq=2 ttl=127 time=21.2 ms

 

On the Fortigate, a trace shows

 

Packet Trace #2004,2024/12/04 08:57:54,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=3."
Packet Trace #2004,2024/12/04 08:57:54,"Find an existing session, id-232fd712, original direction"
Packet Trace #2005,2024/12/04 08:57:55,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=4."
Packet Trace #2005,2024/12/04 08:57:55,"Find an existing session, id-232fd712, original direction"
Packet Trace #2006,2024/12/04 08:57:56,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=5."
Packet Trace #2006,2024/12/04 08:57:56,"Find an existing session, id-232fd712, original direction"
Packet Trace #2007,2024/12/04 08:57:57,"vd-root:0 received a packet(proto=1, 172.31.32.14:53603->192.168.4.1:2048) tun_id=18.193.132.24 from vpn-0d40f99b. type=8, code=0, id=53603, seq=6."
Packet Trace #2007,2024/12/04 08:57:57,"Find an existing session, id-232fd712, original direction"

 

And the interface configuration:

 

edit "lan"
  set vdom "root"
  set ip 192.168.4.1 255.255.255.0
  set allowaccess ping https ssh snmp fabric
  set alias "office lan"
  set device-identification enable
  set role lan
  set snmp-index 11
  set interface "fortilink"
  set vlanid 2000
next

 

Any tips on why it doesn't work from the AWS VPN-tunnel?

 

Cheers,

Chocolate Eater

Labels:
545
0 Kudos
1 Solution
sjoshi
Staff
Staff
In response to chocolateeater

Created on ‎12-05-2024 03:51 AM

yes your link monitor is in dead state that is why the route is in active

please remove the link monitor for now and the route should be active and check the communication

Let us know if this helps.
Salon Raj Joshi

View solution in original post

387
0 Kudos
14 REPLIES 14
sjoshi
Staff
Staff

Created on ‎12-04-2024 05:33 AM

Hi,

 

Can you take the pcap on the FGT

diag sniff packet any 'host x.x.x.x and icmp' 4 0 l >> where x.x.x.x is the dst IP

Let us know if this helps.
Salon Raj Joshi
350
AEK
SuperUser
SuperUser

Created on ‎12-04-2024 07:05 AM

Hi

Can you show the log from the first packet (the one you shared is starting from the 3rd).

Also have you created a policy to allow ping from SSL-VPN tunnel to lan interface?

AEK
AEK
334
dingjerry_FTNT
Staff
Staff

Created on ‎12-04-2024 07:27 AM

Hi @chocolateeater ,

 

1) Please make sure that there is one firewall policy allowing Ping traffic from vpn-0d40f99b interface to lan interface.

 

2) Please make sure that there is no trusted host configured with your admin accounts.

Regards,

Jerry
329
dingjerry_FTNT
Staff
Staff

Created on ‎12-04-2024 07:29 AM

Also, please collect the outputs with the following commands:

 

diag sys session filter proto 1

diag sys session filter dst 192.168.4.1

diag sys session list

 

It's better also attach your FGT config.

Regards,

Jerry
327
chocolateeater
New Contributor II

Created on ‎12-05-2024 12:19 AM

Hi, all.

 

Funny thing. When I ran pcap suggested by @sjoshi, after 8-10 seconds suddenly it worked. I did nothing. Then I left to handle some other stuff, and when I came back it didn't work, again. That got me thinking about NP offloading or asymmetric routing issues, but I haven't been able to confirm this. 

 

The interface IP is now 192.168.40.1 (tried quite a few things), and there is a new host in AWS (172.31.40.192). Sorry I can't drop the complete config here, for security reasons.

 

Here is a new capture, based on the suggestions:

 

FG-101F # diag sniff packet any 'host 192.168.40.1 and icmp' 4 0 1
interfaces=[any]
filters=[host 192.168.40.1 and icmp]
2.975748 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
7.975738 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
12.975803 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
17.976778 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
22.976357 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
^C
5 packets received by filter
0 packets dropped by kernel

FG-101F # diag sys session filter proto 1

FG-101F # diag sys session filter dst 192.168.40.1

FG-101F # diag sys session list

session info: proto=1 proto_state=00 duration=37698 expire=58 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ tun_id=0.0.0.0/18.193.132.248 vlan_cos=0/0
state=local may_dirty npu 
statistic(bytes/packets/allow_err): org=497040/8284/1 reply=56820/947/1 tuples=2
tx speed(Bps/kbps): 13/0 rx speed(Bps/kbps): 1/0
orgin->sink: org pre->in, reply out->post dev=77->36/36->78 gwy=192.168.40.1/0.0.0.0
hook=pre dir=org act=noop 172.31.40.192:1->192.168.40.1:8(0.0.0.0:0)
hook=post dir=reply act=noop 192.168.40.1:1->172.31.40.192:0(0.0.0.0:0)
misc=0 policy_id=53 pol_uuid_idx=0 auth_info=0 chk_client_info=0 vd=0
serial=000057c8 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x000001 no_offload
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:  local disabled-by-policy
total session 1

FG-101F # diag sniff packet any 'host 172.31.40.192 and icmp' 4 0 1
interfaces=[any]
filters=[host 172.31.40.192 and icmp]
3.714953 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
8.711020 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
10.301561 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.13: icmp: echo request
10.301644 lan out 172.31.40.192 -> 192.168.40.13: icmp: echo request
10.301648 fortilink out 172.31.40.192 -> 192.168.40.13: icmp: echo request
10.301653 x2 out 172.31.40.192 -> 192.168.40.13: icmp: echo request
10.301761 lan in 192.168.40.13 -> 172.31.40.192: icmp: echo reply
10.301790 vpn-0d40f99b-2 out 192.168.40.13 -> 172.31.40.192: icmp: echo reply
13.710008 vpn-0d40f99b in 172.31.40.192 -> 192.168.40.1: icmp: echo request
^C
9 packets received by filter
0 packets dropped by kernel

FG-101F # show firewall policy 53
config firewall policy
    edit 53
        set name "aws to office lan"
        set uuid 813dbc08-842a-51ef-e803-b022fa3ef30e
        set srcintf "vpn-0d40f99b"
        set dstintf "lan"
        set action accept
        set srcaddr "AWS"
        set dstaddr "lan address"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set capture-packet enable
        set auto-asic-offload disable
    next
end

FG-101F # show firewall policy 59
config firewall policy
    edit 59
        set name "aws 2 to lan"
        set uuid 872e1386-842c-51ef-2e34-67700f53b3ed
        set srcintf "vpn-0d40f99b-2"
        set dstintf "lan"
        set action accept
        set srcaddr "AWS"
        set dstaddr "lan address"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set capture-packet enable
        set auto-asic-offload disable
    next
end

 

I have discovered something strange (maybe), though. There is a mismatch in the static routes in the GUI and CLI (have removed routes not relevant, here):

 

FG-101F # get router info routing-table static
Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 195.159.198.177, wan1, [1/0]
S       169.254.87.188/30 [5/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]
S       169.254.91.32/30 [5/0] via vpn-0d40f99b tunnel 18.193.132.248, [1/0]
S       172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]

 image.png

 

300
0 Kudos
sjoshi
Staff
Staff
In response to chocolateeater

Created on ‎12-05-2024 01:44 AM

reg the routing table output.

share below output

get router info routing-table all

get router info routing-table database

Let us know if this helps.
Salon Raj Joshi
293
0 Kudos
sjoshi
Staff
Staff
In response to chocolateeater

Created on ‎12-05-2024 01:46 AM

Also reg the local interface ping issue I see the interface IP is 192.168.4.1 but while taking the capture you have taken on 192.168.40.1

 

edit "lan"
set vdom "root"
set ip 192.168.4.1 255.255.255.0

 

Please confirm correct lan IP and take pcap on that one.

Also please share the snapshot of VIP and IP pool configure on your FGT

Let us know if this helps.
Salon Raj Joshi
292
0 Kudos
chocolateeater
New Contributor II

Created on ‎12-05-2024 02:14 AM

Hi, @sjoshi.

 

I have changed interface IP to 192.168.40.1. So that is the correct IP.

 

Here is the full output:

 

 

 

FG-101F # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 195.159.198.177, wan1, [1/0]
C       10.10.1.0/24 is directly connected, guest_wlan
S       10.10.1.2/32 [15/0] via VPN tunnel 10.10.1.2, [1/0]
S       10.10.1.3/32 [15/0] via VPN tunnel 10.10.1.3, [1/0]
S       10.10.10.0/24 [10/0] via Intro SD tunnel 193.71.92.26, [1/0]
C       10.253.240.0/20 is directly connected, wqt.root
C       10.255.11.0/24 is directly connected, quarantine
C       10.255.12.0/24 is directly connected, rspan
C       10.255.13.0/24 is directly connected, nac_segment
C       169.254.1.0/24 is directly connected, fortilink
C       169.254.2.1/32 is directly connected, VPN
C       169.254.2.15/32 is directly connected, SW to FG
S       169.254.87.188/30 [5/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]
C       169.254.87.190/32 is directly connected, vpn-0d40f99b-2
S       169.254.91.32/30 [5/0] via vpn-0d40f99b tunnel 18.193.132.248, [1/0]
C       169.254.91.34/32 is directly connected, vpn-0d40f99b
C       172.18.0.0/21 is directly connected, intro_guest_w
S       172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]
C       192.168.19.0/24 is directly connected, port12
C       192.168.22.0/24 is directly connected, port7
C       192.168.24.0/24 is directly connected, port6
C       192.168.25.0/24 is directly connected, teknisk lan
C       192.168.28.0/24 is directly connected, port9
C       192.168.31.0/24 is directly connected, port2
C       192.168.40.0/24 is directly connected, lan
C       192.168.41.0/24 is directly connected, wlan ap
C       192.168.50.0/24 is directly connected, wifi lan
C       192.168.55.0/24 is directly connected, guest_b
C       192.168.60.0/28 is directly connected, intro_info
C       192.168.62.0/29 is directly connected, intro_klang
C       192.168.63.0/29 is directly connected, intro_present
C       192.168.98.0/24 is directly connected, intro_ph_access

FG-101F # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       > - selected route, * - FIB route, p - stale info

Routing table for VRF=0
S    *> 0.0.0.0/0 [10/0] via 195.159.198.177, wan1, [1/0]
C    *> 10.10.1.0/24 is directly connected, guest_wlan
S       10.10.1.0/24 [10/0] is directly connected, VPN, [1/0]
S    *> 10.10.1.2/32 [15/0] via VPN tunnel 10.10.1.2, [1/0]
S    *> 10.10.1.3/32 [15/0] via VPN tunnel 10.10.1.3, [1/0]
S    *> 10.10.10.0/24 [10/0] via Intro SD tunnel 193.71.92.26, [1/0]
C    *> 10.253.240.0/20 is directly connected, wqt.root
C    *> 10.255.11.0/24 is directly connected, quarantine
C    *> 10.255.12.0/24 is directly connected, rspan
C    *> 10.255.13.0/24 is directly connected, nac_segment
C    *> 169.254.1.0/24 is directly connected, fortilink
C    *> 169.254.2.1/32 is directly connected, VPN
C    *> 169.254.2.15/32 is directly connected, SW to FG
S    *> 169.254.87.188/30 [5/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]
C    *> 169.254.87.190/32 is directly connected, vpn-0d40f99b-2
S    *> 169.254.91.32/30 [5/0] via vpn-0d40f99b tunnel 18.193.132.248, [1/0]
C    *> 169.254.91.34/32 is directly connected, vpn-0d40f99b
C    *> 172.18.0.0/21 is directly connected, intro_guest_w
S       172.31.0.0/16 [10/0] via vpn-0d40f99b tunnel 18.193.132.248 inactive, [1/0]
S    *> 172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]
C    *> 192.168.19.0/24 is directly connected, port12
C    *> 192.168.22.0/24 is directly connected, port7
C    *> 192.168.24.0/24 is directly connected, port6
C    *> 192.168.25.0/24 is directly connected, teknisk lan
C    *> 192.168.28.0/24 is directly connected, port9
C    *> 192.168.31.0/24 is directly connected, port2
S       192.168.40.0/24 [10/0] is directly connected, l2t.root, [1/0]
C    *> 192.168.40.0/24 is directly connected, lan
C    *> 192.168.41.0/24 is directly connected, wlan ap
C    *> 192.168.50.0/24 is directly connected, wifi lan
C    *> 192.168.55.0/24 is directly connected, guest_b
C    *> 192.168.60.0/28 is directly connected, intro_info

 

 

Why is this one inactive...? In the GUI it is not. Normal?

 

172.31.0.0/16 [10/0] via vpn-0d40f99b tunnel 18.193.132.248 inactive, [1/0]

 

 

282
0 Kudos
sjoshi
Staff
Staff
In response to chocolateeater

Created on ‎12-05-2024 02:49 AM

I can see from the remote side AWS the traffic is being received on the TNL vpn-0d40f99b but on the FGT side you have route via vpn-0d40f99b-2 .. in that case RFP check will fail and it will drop the packet
S *> 172.31.0.0/16 [20/0] via vpn-0d40f99b-2 tunnel 52.58.248.162, [1/0]

 

Soln:-
Make the host behind AWS to sent traffic via 2nd IPSEC TNL that makes FGT to receive the traffic on via vpn-0d40f99b-2

 

Now why 172.31.0.0/16 [10/0] via vpn-0d40f99b tunnel 18.193.132.248 inactive, [1/0] is in activeFor this I need few more answer.


Is it part of sdwan?
Have you setup link monitor
config system link-monitor
show

Can you confirm the IPSEC TNL for vpn-0d40f99b is up?
diagnose vpn ike gateway list name vpn-0d40f99b

Let us know if this helps.
Salon Raj Joshi
274
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.