Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Cisco ASA logs report ESP errors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco ASA logs report ESP errors
I have a policy-based VPN between a Fortigate-300A and a Cisco ASA.
All config relating to the VPN matches at both ends and the VPN works with no apparent issues apart from the following:
When a host behind the Cisco end of the VPN attempts TCP communication with an unused IP address at the Fortigate end of the VPN, the Fortigate responds by sending an ICMP destination unreachable packet down the VPN back to the source of the TCP communication.
Unfortunately the Fortigate uses the local gateway (main interface) IP address as the source address of the packet, rather than it' s LAN IP address (which is in the same range as the unused IP address).
The consequence is that the source IP address of the packet falls outside the negotiated parameters of the SA and therefore is reported as an error by the Cisco.
The Fortigate is running FortiOS 4 MR3 Patch 15. I have other Fortigate firewall with the same connectivity running different versions of firmware and displaying the same behavior.
I have already been able get around the issue but I was wondering if anyone had advise on changing the behavior of the Fortigate?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
and welcome to the forums.
This sounds like a real bug to me. I guess you got around it by some action on the Cisco side. To eventually have this fixed, if this behavior is reproduceable, could you imagine yourself filing a support case and thus notify the Fortinet team officially?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, I tried to reproduce the situation.
My end is 192.168.234.0/24.
Remote end is 192.168.166.0/24.
Tunnel phase1 is called " VPN" .
I' m pinging 192.168.166.11 which is non-existent.
2014-05-21 15:00:03.466040 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:03.466303 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:03.466326 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:06.536313 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:06.536504 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:06.536523 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:09.605352 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:09.605625 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:09.605646 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:12.675596 VPN in 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:12.675832 internal out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachable 2014-05-21 15:00:12.675852 eth0 out 192.168.151.1 -> 192.168.234.11: icmp: host 192.168.166.11 unreachableWhat I see here is that the wrong tunnel end is responding: 192.168.151.1 is the first (of 3) phase2' s and apparently used here instead of 192.168.166.1 which would be the correct gateway. Anybody else caring to reproduce this?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Suggestions;
Can you disable icmp messages? ( is thei a global cfg to disable this )
Why not create the vpn a route-based and see if the correct src is sent? ( this is why I never like policy-based vpns )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for investigating this yourselves and providing some advice.
As far as I can tell from using the Cli and looking through Fortinet' s documentation, the only ICMP facility I can disable are redirects from an interface (within the interface configuration). Nothing has leaped out at me to suggest I can disable all ICMP messages.
The Cisco ASA end of the VPN is not in my control so it could take a while to move to a route based VPN (which I' d prefer to use as well). I may be able to test this in a none live environment first though.
I' ve managed to get around the issue by creating black hole static routes for the destination IPs in question. The Fortigate does not now respond with ICMP messages to the source IPs.
I' ve also requested that the source IPs are stopped from making these communication requests as the destinations are no longer in use.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Cisco ASA end of the VPN is not in my control so it could take a while to move to a route based VPN (which I' d prefer to use as well). I may be able to test this in a none live environment first though.FWIW: A route-based vpn has nothing todo or any dependencies on the cisco ASA or the cisco side of things. I would never ever build a policy-based vpn. To be honest every sincee my involvement with netscreen, I' ve never ever built a policy-base vpn ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How you configure the FGT side is independent of the remote end. With proper planning, you could tear down and reconfigure a tunnel from policy based to interface based in minutes...via the CLI, that is.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI: my test was with a route-based/Interface Mode VPN. This behavior does not depend on the type of VPN then.
With all this policy-based VPN bashing, there are situations in which you have to resort to PB-VPN. For instance, to create a VPN when the Fortigate is in Transparent Mode.
Sure this is a rare case, 99% of current VPNs out there are probably created in Interface Mode.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it has nothing to do with pb-vpn bashing. if you think about it, the pb-vpn has no interface to route the icmpcode un-reachable back to the sender as what you would expect in a route-based.
fwiw:
route-base vpn;
0.644066 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
0.644088 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
0.644109 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
0.664401 VPNtun in 10.200.6.7 -> 192.168.254.119: icmp: echo request
1.672752 VPNtun in 10.200.6.7 -> 192.168.254.119: icmp: echo request
2.680879 VPNtun in 10.200.6.7 -> 192.168.254.119: icmp: echo request
3.674061 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
3.674085 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
3.674105 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.119 unreachable
7.643822 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
8.652970 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
9.661025 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
10.644067 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.113 unreachable
10.644087 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.113 unreachable
10.644107 VPNtun out 1.1.1.1 -> 10.200.6.7: icmp: host 192.168.254.113 unreachable
10.661794 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
11.669028 VPNtun in 10.200.6.7 -> 192.168.254.113: icmp: echo request
And this is dropped on the cisco side btw, so the unreachable is never sent to the sender 10.200.6.7 in my case.
The cisco vpn proxy-id would not accept these packets due to the source not matching the encryption acl
And to be clear the 192.168.254.113 and .119 are non-existing hosts over the vpn on the fortigate. Within the cisco platforms, we can filter and drop unneeded sending of unreachables and/or rate-limit them
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ken,
this is not quite the situation the OP is describing.
Assume you have a subnet 1.1.1.0/24 behind the remote tunnel end. Remote gateway is 1.1.1.1. Host 1.1.1.100 exists but 1.1.1.200 does not. In this case, ping 1.1.1.200. The ICMP unreachable should be sent back through the tunnel with a source address of 1.1.1.1, the remote end' s gateway.
What I can see is that the wrong gateway is responding. What the OP saw is that the remote end' s WAN IP is responding which is way off.
Can you confirm the ICMP unreachable behavior with a setting like I described above?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortinet Switch and Fluke Link IQ... 202 Views
- SNMP V3 ERROR ABOUT CISCO SWITCH 1655 Views
- FortiGate Config Local Snapshots 361 Views
- Implementing FGSP with OSPF ECMP based... 496 Views
- Blocks ICMP Error Reporting Packets 669 Views
Labels
-
FortiGate
8,506 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
SSL SSH inspection
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1663 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.