Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: FortiGate IPSec - wrong interface detected for...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate IPSec - wrong interface detected for incoming traffic
We have an IPSec tunnel between two FortiGate devices - FG500E and FG40F, both running version 7.0.14.
The IPSec is established without any problems, but the traffic inside the tunnel has some very strange issue. The tunnel IP addresses are 10.0.66.16/32 and 10.0.66.17/32.
The FG500E device sends the packets inside the tunnel, but when it receives the response, for example ping requests, it sees the traffic as received from the VLAN interface on which is built the tunnel, thus discarding the traffic. As a result the two tunnel interface ends cannot ping each other and the communication is not possible, as we use iBGP for routing.
Has anyone experienced some similar issue and how to fix this?
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
21 REPLIES 21
Created on 02-23-2024 05:38 AM Edited on 02-23-2024 05:39 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Changing it fixed the tunnel list:
# diagnose vpn ike gateway list name O-BLA-DIS-PRIM
vd: root/0
name: O-BLA-DIS-PRIM
version: 2
interface: MAN_A1 50
addr: 192.168.3.3:500 -> 192.168.2.147:500
tun_id: 10.0.0.7/::10.0.0.7
remote_location: 0.0.0.0
network-id: 0
virtual-interface-addr: 10.0.66.16 -> 10.0.66.17
created: 72s ago
peer-id: 192.168.2.147
peer-id-auth: no
PPK: no
IKE SA: created 1/2 established 1/2 time 40/40/40 ms
IPsec SA: created 1/2 established 1/2 time 0/20/40 ms
id/spi: 1737727 3a88af8db8e17aee/96af44d0b91286b5
direction: initiator
status: established 72-72s ago = 40ms
proposal: aes256-sha512
child: no
SK_ei: 042ae9cd5dd246c3-5bdc008ff5212a50-0b9b73d5f2deb9ff-3de3ab28ca4153e8
SK_er: db7b49224f01248b-5b5afac75eda4b23-fc07e67a1769706a-3a4655dda207bac3
SK_ai: f654fa57b3b0f1fb-b3af20bb101dac09-311202eb1a49e30b-a0d38662f3c3b155-a35f2873363492e7-6abefe1f89824667-cbb3779d980a1693-f45a2734ad8b5a0e
SK_ar: 13101d40b1232522-3bb0f1463bcb1f34-2ad5a25a247fc74e-46bb975d2853aff8-96ade2286492f255-2cabee48beab9580-89a3c1d8e75e5a51-e4b157f42913f141
PPK: no
message-id sent/recv: 2/0
lifetime/rekey: 86400/86027
DPD sent/recv: 00000000/00000000
peer-id: 192.168.2.147
Unfortunately this did not fixed the issue:
024-02-23 15:33:26.332425 MAN_A1 in 10.0.66.17 -> 10.0.66.16: icmp: echo request
2024-02-23 15:33:27.342967 MAN_A1 in 10.0.66.17 -> 10.0.66.16: icmp: echo request
2024-02-23 15:33:28.353048 MAN_A1 in 10.0.66.17 -> 10.0.66.16: icmp: echo request
2024-02-23 15:33:29.363068 MAN_A1 in 10.0.66.17 -> 10.0.66.16: icmp: echo request
2024-02-23 15:33:30.373120 MAN_A1 in 10.0.66.17 -> 10.0.66.16: icmp: echo request
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried pinging from a host behind the firewall instead? You can also run packet sniffer on the other side of the tunnel.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not possible, as I need to run the iBGP first!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue you're describing with the FortiGate IPSec tunnel is quite specific and could have several potential causes. Here are some steps you can take to troubleshoot and fix the problem:
1. Verify Interface Configuration:
- Double-check the interface configuration on both FG500E and FG40F. Ensure that the tunnel interface is correctly defined with the assigned IP addresses (10.0.66.16/32 and 10.0.66.17/32) and associated with the appropriate physical interface where the IPSec traffic arrives.
- Verify that the firewall policies on both devices allow traffic through the tunnel interface for the desired protocols (e.g., ICMP for pings, TCP/UDP for other communication).
2. Check Routing Configuration:
- Make sure the routing tables on both devices correctly route traffic destined for the tunnel IP addresses through the IPSec tunnel interface.
- Verify that static routes or dynamic routing protocols (e.g., OSPF, BGP) are configured correctly to send traffic through the tunnel.
3. Inspect Traffic Logs:
- Enable logging on both devices for the IPSec tunnel interface and analyze the logs when attempting to ping or send other traffic through the tunnel. This can help identify dropped packets and the reason for their discard.
- Pay attention to any error messages or warnings related to interface mismatch or routing issues.
4. Consider FortiGate Support:
- If the above steps don't resolve the issue, it's recommended to contact FortiGate support for further assistance. They can provide deeper insights into the specific configuration and potential bugs related to your FortiGate devices and software version.
By following these steps and potentially involving FortiGate support, you should be able to identify the root cause of the "wrong interface detected" issue and get your IPSec tunnel functioning correctly.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please provide your route information as well.
# get router info routing-table deatils 10.0.66.17
Also try to ping a host behind each firewall instead of pinging the tunnel IP and share the outputs.
Based on the tunnel details you have shared earlier, we could clearly see traffic being received and decrypted and no traffic are returned because encrypted count is 0.
dec:pkts/bytes=16/1056, enc:pkts/bytes=0/0
Best Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
# get router info routing-table details 10.0.66.17
Routing table for VRF=0
Routing entry for 10.0.66.17/32
Known via "static", distance 5, metric 0, best
* via O-BLA-DIS-PRIM tunnel 10.0.0.7, tun_id
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also it is not possible to ping from IP behind the firewall, because the reason I need those IP addresses see each other is to run iBGP on the tunnel, like we did with the other devices we use.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create static routes for testing purposes. Also, please open a ticket with Fortinet TAC to further investigate the issue.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not understand - what kind of static routes do you mean and why?
We have proper routing on both sides:
- on external interfaces we are able to establish the VPN;
- on tunnel - there is a routing for the tunnel interfaces on both sides!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From the details you have shared in the Forum, it almost looks like you have a proper configuration as we indeed see the traffic exiting the remote firewall through the tunnel interface, but unfortunately on the other side the traffic is not see as leaving as the decrypted bytes are still 0 even though you have proper route in place.
My suggestion to you is to involve Fortinet Support for detailed troubleshooting of this issue with a remote session.
Best Regards,
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- fortigate 7.0.16 block all public ip... 141 Views
- Traffic Shaping Configuration Issue Affecting ... 100 Views
- FortiEMS and AutoConnect/AlwaysUP 330 Views
- VXLAN over IPSEC 116 Views
- primary and seconary WAN connection for... 177 Views
Labels
-
FortiGate
8,481 -
FortiClient
1,719 -
5.2
801 -
FortiManager
713 -
5.4
639 -
FortiAnalyzer
548 -
FortiAP
460 -
FortiSwitch
457 -
6.0
416 -
FortiClient EMS
408 -
5.6
362 -
FortiMail
309 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
222 -
FortiWeb
200 -
5.0
196 -
IPsec
186 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
75 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
DNS
40 -
Routing
39 -
BGP
39 -
LDAP
38 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 443 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.