My HUB has 2 ISP with 2 vpns, these vpns are in sdwan with Maximize Bandwidth SLA, sometimes the host from the hub don't have ping to the SPOKES.
I did a sniffer and debug, and these are the results
PING ok from 192.168.1.10 to 192.168.2.10
Sniffer
4.048999 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.049044 VPN-ISP1 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.051829 VPN-ISP1 in 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.051839 port4 out 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.053337 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.053342 VPN-ISP1 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.057074 VPN-ISP1 in 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.057077 port4 out 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.058594 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.058599 VPN-ISP1 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.061209 VPN-ISP1 in 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.061212 port4 out 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.062676 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.062680 VPN-ISP1 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.065359 VPN-ISP1 in 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.065362 port4 out 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.066878 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.066881 VPN-ISP1 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
4.068969 VPN-ISP1 in 192.168.2.10 -> 192.168.1.10: icmp: echo reply
4.068971 port4 out 192.168.2.10 -> 192.168.1.10: icmp: echo reply
Debug
2021-02-19 01:19:41 id=20085 trace_id=1 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:58->192.168.2.10:2048) from"
2021-02-19 01:19:41 id=20085 trace_id=1 func=init_ip_session_common line=5625 msg="allocate a new session-00000a8a"
2021-02-19 01:19:41 id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=2130771970: to 192.168.2.10 via ifindex-10"
2021-02-19 01:19:41 id=20085 trace_id=1 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.10.100.2 via VPN-ISP1"
2021-02-19 01:19:41 id=20085 trace_id=1 func=fw_forward_handler line=783 msg="Allowed by Policy-1:"
2021-02-19 01:19:41 id=20085 trace_id=1 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP1"
2021-02-19 01:19:41 id=20085 trace_id=1 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2021-02-19 01:19:41 id=20085 trace_id=1 func=ipsec_output_finish line=622 msg="send to 186.1.1.1 via intf-port2"
2021-02-19 01:19:41 id=20085 trace_id=2 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.2.10:58->192.168.1.10:0) from VPN-ISP1. t"
2021-02-19 01:19:41 id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, reply direction"
2021-02-19 01:19:41 id=20085 trace_id=2 func=vf_ip_route_input_common line=2596 msg="find a route: flag=00000000 gw-192.168.1.10 via port4"
2021-02-19 01:19:41 id=20085 trace_id=3 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:58->192.168.2.10:2048) from port4. t"
2021-02-19 01:19:41 id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, original direction"
2021-02-19 01:19:41 id=20085 trace_id=3 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=3 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP1"
2021-02-19 01:19:41 id=20085 trace_id=3 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2021-02-19 01:19:41 id=20085 trace_id=3 func=ipsec_output_finish line=622 msg="send to 186.1.1.1 via intf-port2"
2021-02-19 01:19:41 id=20085 trace_id=4 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.2.10:58->192.168.1.10:0) from VPN-ISP1. t"
2021-02-19 01:19:41 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, reply direction"
2021-02-19 01:19:41 id=20085 trace_id=4 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=5 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:58->192.168.2.10:2048) from port4. t"
2021-02-19 01:19:41 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, original direction"
2021-02-19 01:19:41 id=20085 trace_id=5 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP1"
2021-02-19 01:19:41 id=20085 trace_id=5 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2021-02-19 01:19:41 id=20085 trace_id=5 func=ipsec_output_finish line=622 msg="send to 186.1.1.1 via intf-port2"
2021-02-19 01:19:41 id=20085 trace_id=6 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.2.10:58->192.168.1.10:0) from VPN-ISP1. t"
2021-02-19 01:19:41 id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, reply direction"
2021-02-19 01:19:41 id=20085 trace_id=6 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=7 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:58->192.168.2.10:2048) from port4. t"
2021-02-19 01:19:41 id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, original direction"
2021-02-19 01:19:41 id=20085 trace_id=7 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=7 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP1"
2021-02-19 01:19:41 id=20085 trace_id=7 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2021-02-19 01:19:41 id=20085 trace_id=7 func=ipsec_output_finish line=622 msg="send to 186.1.1.1 via intf-port2"
2021-02-19 01:19:41 id=20085 trace_id=8 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.2.10:58->192.168.1.10:0) from VPN-ISP1. t"
2021-02-19 01:19:41 id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, reply direction"
2021-02-19 01:19:41 id=20085 trace_id=8 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=9 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:58->192.168.2.10:2048) from port4. t"
2021-02-19 01:19:41 id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, original direction"
2021-02-19 01:19:41 id=20085 trace_id=9 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:41 id=20085 trace_id=9 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP1"
2021-02-19 01:19:41 id=20085 trace_id=9 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2021-02-19 01:19:41 id=20085 trace_id=9 func=ipsec_output_finish line=622 msg="send to 186.1.1.1 via intf-port2"
2021-02-19 01:19:41 id=20085 trace_id=10 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.2.10:58->192.168.1.10:0) from VPN-ISP1. "
2021-02-19 01:19:41 id=20085 trace_id=10 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000a8a, reply direction"
2021-02-19 01:19:41 id=20085 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
Ping wrong
Sniffer
9.705700 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
9.705734 VPN-ISP2 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
11.707874 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
11.707893 VPN-ISP2 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
13.708240 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
13.708250 VPN-ISP2 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
15.709971 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
15.709981 VPN-ISP2 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
17.713986 port4 in 192.168.1.10 -> 192.168.2.10: icmp: echo request
17.713996 VPN-ISP2 out 192.168.1.10 -> 192.168.2.10: icmp: echo request
Debug
2021-02-19 01:19:57 id=20085 trace_id=11 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:59->192.168.2.10:2048) fro"
2021-02-19 01:19:57 id=20085 trace_id=11 func=init_ip_session_common line=5625 msg="allocate a new session-00000abf"
2021-02-19 01:19:57 id=20085 trace_id=11 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=2130771970: to 192.168.2.10 via ifindex-11"
2021-02-19 01:19:57 id=20085 trace_id=11 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.10.200.253 via VPN-ISP2"
2021-02-19 01:19:57 id=20085 trace_id=11 func=fw_forward_handler line=783 msg="Allowed by Policy-1:"
2021-02-19 01:19:57 id=20085 trace_id=11 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP2"
2021-02-19 01:19:57 id=20085 trace_id=11 func=ipsecdev_hard_start_xmit line=842 msg="Failed to find IPsec Common: VPN-ISP2"
2021-02-19 01:19:59 id=20085 trace_id=12 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:59->192.168.2.10:2048) from port4. "
2021-02-19 01:19:59 id=20085 trace_id=12 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00000abf, original direction"
2021-02-19 01:19:59 id=20085 trace_id=12 func=ipv4_fast_cb line=53 msg="enter fast path"
2021-02-19 01:19:59 id=20085 trace_id=12 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN-ISP2"
2021-02-19 01:19:59 id=20085 trace_id=12 func=ipsecdev_hard_start_xmit line=842 msg="Failed to find IPsec Common: VPN-ISP2"
For the mentioned error 'Failed to find IPsec Common' Please check this knowledge base article.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Error-Failed-to-find-IPsec-Common/ta-p/194...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.