Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ITC_Techs
New Contributor II

FortiGate

We have an IPsec VPN between FortiGate 60E and SonicWall NSA 2600. The VPN is up and active but no traffic is passing across it.

12 REPLIES 12
Dave_Hall
Honored Contributor

Is there a route showing up for the tunnel?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
ITC_Techs
New Contributor II

There is. There is also a policy to allow inbound and outbound traffic

sw2090

are you sure the tunnel is up completely? Green in FGT Ipsec Monitor only means that phase1 has come up.

diag vpn tunnel list on cli will show you if is completely up.

If it shows phase2 name somewhere and a "sa=1" behind it it is up.

 

ALso could be something with ike. Look at my "strange ipsec vpn behavior " thread below for further details.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

the "diag debug flow" is your proper way to test this. It will show you if traffic is one matching the policy enforcing the route-base tunnel interface it will show if the traffic is being encrypted

 

On both sides NSA  and FGT you need policies and routes to be correct and matched.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ITC_Techs
New Contributor II

Policies and routes have been verified. We have another FGT101 with a VPN tunnel to the same NSA and all settings match just no traffic passing to/from FGT60E.

 

rwpatterson
Valued Contributor III

On the cheap, where does a traceroute take your traffic?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ITC_Techs
New Contributor II

Traceroute never gets out. All hops time out. Route is set up with destination network and VPN interface selected.

ITC_Techs
New Contributor II

Attached is exerpt of diag sniffer packet on VPN tunnel interface. VPN is policy-based

isamt

Run a debug to identify if any issues with the config

 

 

diagnose debug disable diagnose vpn ike log-filter clear diagnose vpn ike log-filter dst-addr4 n.n.n.n diagnose debug app ike 255 diagnose debug enable

 

where n.n.n.n is the Public IP address of you SonicWall Firewall

 

to end:

diagnose debug disable diagnose debug reset

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors