Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

FortiGate x Sophos IPsec VPN with overlapping subnet behind sophos


there is an IPsec site to site between the two firewalls, the subnet behind the firewall is and behind Sophos is, however the last one is NATed to because there is a route to the same subnet (2.0/24) on fortigate. The tunnel is up and the connection should be fine, however when I try to ping, only one or two pings are delivered and only when I make the tunnel down and up, I took a sniffer on when I try to ping to and it goes out from the fortigate but never returned. Note that the ISP router after the sophos firewall is NOT configured as a bridge, don’t know if that cause the issue. Can you please advise me


MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer

Hi @Moxeq 


1. I'd suggest to open technical ticket on Fortinet's Support and provide more detailed network diagram, FortiGate's config and any debug outputs ... like IKE debug from FortiGate .. into it.


2. second advice would be to avoid any overlapped networks. So re-address your network to avoid those overlaps. Avoid need for NAT between private addresses and keep things purely routed.


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

New Contributor II

Hi Tom xSilver,

thanks for your response.


I will open a ticket with the TAC.

Regarding the NAT configuration, Unfortunately it is a must from Sophos side, because I have a route on the core switch behind the FortiGate to the same subnet! 


do you suggest any other solutions? 


And I want to ask that if the ISP router after the Sophos firewall could cause the ping issue, since it is not configured as a bridge, maybe causes double NAT or something like that.


And I cannot understand why the first two packets delivered and the ping work then goes down. 

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
New Contributor III

do a packet capture on Sophos and check the IP which range is showing 


Hi there,

Can you try to run debug flow on FortiGate when pinging using the following commands:

diag debug reset
diag debug flow filter addr
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

If the traffic is passing through the Ipsec tunnel correctly, try to do sniffer on the other side to see if the packet arrive and being replied or not. 

Please also refer to this document for overlapping Ipsec tunnel "



Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors