Hi, Users are using zscaler proxy for internet.
We are having zscaler s2s vpn tunnels configured and added default route for internet.
Zscaler tunnel - distance - 10, priority - 1
Internet ILL - distance - 10, priority - 2
Now if we do the ping to ILL wan ip we are not getting ping of wan ip.
If we do priority 1 to ILL and priority 2 to Zscaler tunnel then only we are able to ping to wan ip.
Can someone please guide in this case.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @ganesh_karale ,
It sounds an asymmetric routing issue to me, please check if the routing is working as expected in your infrastructure.
Please attach a diagram that shows the devices involved and their IP, also shows from where your users are pinging.
Running a packet capture on both ends would be good to understand if and where the packet are received:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-the-FortiOS-built-in-packet-sn...
On the FortiGate you can also run a debug flow at the same time of the packet sniffer (on a second SSH window, to avoid mixing up the logs):
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Best regards,
When we do packet capture it shows that if we are pinging to wan ip from public network traffic receiving on wan interface but reply going out via zscaler.
Created on 07-02-2024 01:40 AM Edited on 07-02-2024 01:45 AM
Hi @ganesh_karale ,
If you attach a diagram which shows the IPs and the devices involved, it would be beneficial.
You might find the below article useful:
https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-an...
You can also collect the following (x.x.x. are the three first octets and x.x.x.x is the IP you are pinging):
get router info routing-table all | grep x.x.x.
get router info routing-table database | grep x.x.x.
get router info routing-table detail x.x.x.x/32
diag ip rtcache list | grep x.x.x.
get router info kernel | grep x.x.x.
Best regards,
Hi, Trying to ping from 14.143.59.30 to 103.250.149.61.
Run sniffer packet and there traffic comes in through respective wan interface and going out through zscaler interface.
Please find below logs for the same.
========================================
FGTRGISURAT # get router info routing-table details 8.8.8.8
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 1, metric 0, best
* via Zscaler_MUM tunnel 10.0.0.1, tun_id
* via Zscaler_Che tunnel 10.0.0.2, tun_id
* 116.72.19.1, via internal5
* 10.201.0.1, via ppp2
FGTRGISURAT #
FGTRGISURAT # diagnose sniffer packet any "host 103.250.149.61 and icmp" 4 0 a
interfaces=[any]
filters=[host 103.250.149.61 and icmp]
2024-07-02 11:16:55.694288 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:16:55.694436 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
2024-07-02 11:17:00.539766 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:17:00.539804 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
2024-07-02 11:17:05.519582 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:17:05.519617 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
2024-07-02 11:17:10.524323 ppp2 in 14.143.59.30 -> 103.250.149.61: icmp: echo request
2024-07-02 11:17:10.524426 Zscaler_MUM out 103.250.149.61 -> 14.143.59.30: icmp: echo reply
^C
32 packets received by filter
0 packets dropped by kernel
Hi @ganesh_karale ,
Thank you for the sniffer logs.
As explained earlier, a network diagram would be beneficial in order to help you.
Also I cannot see the correct routing commands outputs that I suggest you to collect.
It might be better to raise a ticket with our support so you can share the required logs and config backups accordingly.
Best regards,
Hi @ganesh_karale,
You can use policy route to route traffic over the tunnel. Please refer to https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.