Hello,
there is an IPsec site to site between the two firewalls, the subnet behind the firewall is 192.168.111.0/24 and behind Sophos is 192.168.2.0/24, however the last one is NATed to 10.203.40.0/24 because there is a route to the same subnet (2.0/24) on fortigate. The tunnel is up and the connection should be fine, however when I try to ping, only one or two pings are delivered and only when I make the tunnel down and up, I took a sniffer on 192.168.111.12/24 when I try to ping to 10.203.40.10 and it goes out from the fortigate but never returned. Note that the ISP router after the sophos firewall is NOT configured as a bridge, don’t know if that cause the issue. Can you please advise me
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Moxeq
1. I'd suggest to open technical ticket on Fortinet's Support and provide more detailed network diagram, FortiGate's config and any debug outputs ... like IKE debug from FortiGate .. into it.
2. second advice would be to avoid any overlapped networks. So re-address your network to avoid those overlaps. Avoid need for NAT between private addresses and keep things purely routed.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Hi Tom xSilver,
thanks for your response.
I will open a ticket with the TAC.
Regarding the NAT configuration, Unfortunately it is a must from Sophos side, because I have a route on the core switch behind the FortiGate to the same subnet!
do you suggest any other solutions?
And I want to ask that if the ISP router after the Sophos firewall could cause the ping issue, since it is not configured as a bridge, maybe causes double NAT or something like that.
And I cannot understand why the first two packets delivered and the ping work then goes down.
do a packet capture on Sophos and check the IP which range is showing
Hi there,
Can you try to run debug flow on FortiGate when pinging 10.203.40.10 using the following commands:
diag debug reset
diag debug flow filter addr 10.203.40.10
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999
If the traffic is passing through the Ipsec tunnel correctly, try to do sniffer on the other side to see if the packet arrive and being replied or not.
Please also refer to this document for overlapping Ipsec tunnel "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/426761/site-to-site-vpn-with...
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.