- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cisco ASA logs report ESP errors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco ASA logs report ESP errors
I have a policy-based VPN between a Fortigate-300A and a Cisco ASA.
All config relating to the VPN matches at both ends and the VPN works with no apparent issues apart from the following:
When a host behind the Cisco end of the VPN attempts TCP communication with an unused IP address at the Fortigate end of the VPN, the Fortigate responds by sending an ICMP destination unreachable packet down the VPN back to the source of the TCP communication.
Unfortunately the Fortigate uses the local gateway (main interface) IP address as the source address of the packet, rather than it' s LAN IP address (which is in the same range as the unused IP address).
The consequence is that the source IP address of the packet falls outside the negotiated parameters of the SA and therefore is reported as an error by the Cisco.
The Fortigate is running FortiOS 4 MR3 Patch 15. I have other Fortigate firewall with the same connectivity running different versions of firmware and displaying the same behavior.
I have already been able get around the issue but I was wondering if anyone had advise on changing the behavior of the Fortigate?
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums.
This sounds like a real bug to me. I guess you got around it by some action on the Cisco side. To eventually have this fixed, if this behavior is reproduceable, could you imagine yourself filing a support case and thus notify the Fortinet team officially?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I tried to reproduce the situation.
My end is 192.168.234.0/24.
Remote end is 192.168.166.0/24.
Tunnel phase1 is called " VPN" .
I' m pinging 192.168.166.11 which is non-existent.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
2014-05-21 15:00:03.466040 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:03.466303 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:03.466326 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:06.536313 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:06.536504 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:06.536523 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:09.605352 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:09.605625 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:09.605646 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:12.675596 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:12.675832 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:12.675852 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachableWhat I see here is that the wrong tunnel end is responding: 192.168.151.1 is the first (of 3) phase2' s and apparently used here instead of 192.168.166.1 which would be the correct gateway. Anybody else caring to reproduce this?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suggestions;
Can you disable icmp messages? ( is thei a global cfg to disable this )
Why not create the vpn a route-based and see if the correct src is sent? ( this is why I never like policy-based vpns )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for investigating this yourselves and providing some advice.
As far as I can tell from using the Cli and looking through Fortinet' s documentation, the only ICMP facility I can disable are redirects from an interface (within the interface configuration). Nothing has leaped out at me to suggest I can disable all ICMP messages.
The Cisco ASA end of the VPN is not in my control so it could take a while to move to a route based VPN (which I' d prefer to use as well). I may be able to test this in a none live environment first though.
I' ve managed to get around the issue by creating black hole static routes for the destination IPs in question. The Fortigate does not now respond with ICMP messages to the source IPs.
I' ve also requested that the source IPs are stopped from making these communication requests as the destinations are no longer in use.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Cisco ASA end of the VPN is not in my control so it could take a while to move to a route based VPN (which I' d prefer to use as well). I may be able to test this in a none live environment first though.FWIW: A route-based vpn has nothing todo or any dependencies on the cisco ASA or the cisco side of things. I would never ever build a policy-based vpn. To be honest every sincee my involvement with netscreen, I' ve never ever built a policy-base vpn ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How you configure the FGT side is independent of the remote end. With proper planning, you could tear down and reconfigure a tunnel from policy based to interface based in minutes...via the CLI, that is.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI: my test was with a route-based/Interface Mode VPN. This behavior does not depend on the type of VPN then.
With all this policy-based VPN bashing, there are situations in which you have to resort to PB-VPN. For instance, to create a VPN when the Fortigate is in Transparent Mode.
Sure this is a rare case, 99% of current VPNs out there are probably created in Interface Mode.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it has nothing to do with pb-vpn bashing. if you think about it, the pb-vpn has no interface to route the icmpcode un-reachable back to the sender as what you would expect in a route-based.
fwiw:
route-base vpn;
0.644066 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
0.644088 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
0.644109 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
0.664401 VPNtun in 10.200.6.7 -> 192.168.254.119: icmp: echo request
1.672752 VPNtun in 10.200.6.7 -> 192.168.254.119: icmp: echo request
2.680879 VPNtun in 10.200.6.7 -> 192.168.254.119: icmp: echo request
3.674061 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
3.674085 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
3.674105 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
7.643822 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
8.652970 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
9.661025 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
10.644067 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.113 unreachable
10.644087 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.113 unreachable
10.644107 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.113 unreachable
10.661794 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
11.669028 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
And this is dropped on the cisco side btw, so the unreachable is never sent to the sender 10.200.6.7 in my case.
The cisco vpn proxy-id would not accept these packets due to the source not matching the encryption acl
And to be clear the 192.168.254.113 and .119 are non-existing hosts over the vpn on the fortigate. Within the cisco platforms, we can filter and drop unneeded sending of unreachables and/or rate-limit them
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ken,
this is not quite the situation the OP is describing.
Assume you have a subnet 1.1.1.0/24 behind the remote tunnel end. Remote gateway is 1.1.1.1. Host 1.1.1.100 exists but 1.1.1.200 does not. In this case, ping 1.1.1.200. The ICMP unreachable should be sent back through the tunnel with a source address of 1.1.1.1, the remote end' s gateway.
What I can see is that the wrong gateway is responding. What the OP saw is that the remote end' s WAN IP is responding which is way off.
Can you confirm the ICMP unreachable behavior with a setting like I described above?
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Blocks ICMP Error Reporting Packets 140 Views
- FortiManager pxGrid Connection 380 Views
- LACP between Cisco and Fortiswitch (MC-LAG)... 994 Views
- Tunnel to cisco router keeps doing... 373 Views
- Some objects "fail" to be imported 667 Views
Labels
-
FortiGate
6,452 -
FortiClient
1,288 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.