Hi
I have a strange bug, i have two fortigate f100 with ipsec connection up and runing, I have sslvpn on one ot then allowing me access to the other side. I can ping all the vms on both side from ssl vpn, I can ping "somes" VM between sites through ipsec. But I have 3 of them 2 Sice a and 1 side b, that I cannot ping through ipsec ( they are pignable from SSL VPN only ) .
I'm new in this forti brand, any tip will be great.
thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-0002f649, original direction"
id=20085 trace_id=20 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSEC-ED, tun_id=0.0.0.0"
id=20085 trace_id=20 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSEC-ED_0"
id=20085 trace_id=20 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"
id=20085 trace_id=20 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSEC-ED_0"
id=20085 trace_id=20 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"
Check the phase2 selectors on the IPSEC-ED tunnel. Make sure all subnets that need to communicate are allowed.
remote site A shows this on debug,. and dont stop scrolling ( I shutdown 102, but nothing changed)
You have to type "diag debug disable" to stop it, and "diag debug reset" to stop all debugs.
It's also showing all the traffic is allowed but is all in the original direction, there is no reply.
I think the issue is the phase2 on remote site B
check this, it is normal to have to two ipsec tunnel , one with _0
Yep, the tunnel is probably a dialup / dynamic. See: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/239039/dynamic-tunnel-interface-creatio...
checking the session list I found this
ofld_fail_reason(kernel, drv): not-established/not-established, IPSec-enc-SA-not-offloaded(6)/IPsec-dec-SA-not-offloaded(7)
npu_state_err=04/04
That message is indicating that the session is not being offloaded.
not-established |
A TCP session is not in its established state (proto_state=01). |
|
The option |
Well finally got this working, it was so easy .... NAT !
I need NAt enabled on one policy only on both sides! ( ipsec->lan ) , now the system are replying whitout problem. Fortinet support found that!
That's great to hear. With NAT enabled on the policies the traffic must be matching phase2 of the tunnel now.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.