Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amorales
New Contributor

Cannot see incoming ESP packets with a packet capture.

Hi, I am not able to see any incoming ESP packet when running a packet capture in FortiGate. The tunnel is UP and running, everything is working find, but if I check the traffic, I just can see outgoing ESP packets but not incoming ones. I have a lot of FortiGates devices and same happens in all of them. Am I missing something? Thanks?

7 REPLIES 7
emnoc
Esteemed Contributor III

Yes, are you specifying the right interface ? If you do the following 

 

diag sniffer packet any "src host x.x.x.x and proto 50"  where x.x.x.x is the remote-gateway ?

 

And lastly confirm the exact remote-gw ipv4 address is correct.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

Or, are you sure it's not encapsulated in UDP 4500 because of NAT traversal? Just sniff everything against the remote-gw IP first.

amorales

I have found the reason, it was due to acceleration. After disabling the acceleration in the phase1-Interface, I can see now traffic flowing in both directions. 

 

config vpn ipsec phase1/phase1-interface   edit "vpn_name"     set npu-offload enable/disable   next end

Toshi_Esumi
Esteemed Contributor III

You should be able to see them by just disabling "auto-asic-offload" on the policies without disabling it on the IPsec/phase1. Just don't forget to re-enabling when you're done debugging.

amorales

The thing is that I wanted to check the traffic between my FortiGate and AWS gateway, because the BGP session was not comming up. The traffic was between the FortiGate iself, and AWS remote Gateway, so the traffic was not maching any rule as far I know.

Toshi_Esumi
Esteemed Contributor III

We have an IPsec between FGT and AWS for a customer, and running BGP over it. I can sniff BGP (TCP 179) exchanges with offloading enabled. I think it's because it's destined to FGT itself so it has to come out of NPU unlike passing-through traffic, which gets out of the egress interface only through NPU.

amorales

Yes, after some time I did realize that the tunnel was working fine (it was a BGP configuration issue) and I was able to sniffer the traffic going through the tunnel. I was just shocked after seeing that everything was working fine when fixed the BGP issue, but I was still unable to see ESP packets coming from the AWS public IP. Somehow the FortiGate just shows the outgoing ESP packets but not the incoming ESP packets when offloading is enabled. 

 

Anyway, thank you very much for answers and information :)

Top Kudoed Authors