Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
supercato
New Contributor

Created on ‎10-14-2024 08:19 AM Edited on ‎10-14-2024 08:22 AM

Fortigate 100F ipsec between 2

Hi

I have a strange bug, i have two fortigate f100 with ipsec connection up and runing, I have sslvpn on one ot then allowing me access to the other side.  I can ping all the vms on both side from ssl vpn, I can ping "somes" VM between sites through  ipsec. But I have 3 of them  2 Sice a and 1 side b, that I cannot ping through ipsec ( they are pignable from SSL VPN only ) .

 

I'm new in this forti brand, any tip will be great.

 

thank you

Labels:
1410
0 Kudos
19 REPLIES 19
supercato
New Contributor

Created on ‎10-16-2024 07:52 AM

id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-0002f649, original direction"
id=20085 trace_id=20 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface IPSEC-ED, tun_id=0.0.0.0"
id=20085 trace_id=20 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSEC-ED_0"
id=20085 trace_id=20 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"

565
0 Kudos
wmichael
Staff
Staff
In response to supercato

Created on ‎10-16-2024 08:05 AM

id=20085 trace_id=20 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel IPSEC-ED_0"
id=20085 trace_id=20 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"

 

Check the phase2 selectors on the IPSEC-ED tunnel.  Make sure all subnets that need to communicate are allowed.

562
0 Kudos
supercato
New Contributor

Created on ‎10-16-2024 08:05 AM

image.png

remote site A shows this on debug,.  and dont stop scrolling ( I shutdown 102, but nothing changed)

 

561
0 Kudos
wmichael
Staff
Staff
In response to supercato

Created on ‎10-16-2024 08:08 AM

You have to type "diag debug disable" to stop it, and "diag debug reset" to stop all debugs.
It's also showing all the traffic is allowed but is all in the original direction, there is no reply.

I think the issue is the phase2 on remote site B

559
0 Kudos
supercato
New Contributor

Created on ‎10-16-2024 08:12 AM

check this, it is normal to have to two ipsec tunnel , one with _0

image.png

557
0 Kudos
johnathan
Staff
Staff
In response to supercato

Created on ‎10-16-2024 09:05 AM

Yep, the tunnel is probably a dialup / dynamic. See: https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/239039/dynamic-tunnel-interface-creatio...

"Never trust a computer you can't throw out a window."
520
0 Kudos
supercato
New Contributor

Created on ‎10-16-2024 06:24 PM

checking the session list I found this

ofld_fail_reason(kernel, drv): not-established/not-established, IPSec-enc-SA-not-offloaded(6)/IPsec-dec-SA-not-offloaded(7)
npu_state_err=04/04

488
0 Kudos
wmichael
Staff
Staff
In response to supercato

Created on ‎10-18-2024 10:16 AM

That message is indicating that the session is not being offloaded.

 

https://docs.fortinet.com/document/fortigate/7.6.0/hardware-acceleration/734139/diagnose-sys-session...

 

not-established A TCP session is not in its established state (proto_state=01).

IPsec-enc-SA-not-offloaded

The option npu-offload is disabled in the IPsec Phase 1 or Phase 1 interface configuration that accepted the session. This reason can also appear if the SA cannot be offloaded.
463
0 Kudos
supercato
New Contributor

Created on ‎10-21-2024 11:00 AM

Well finally got this working, it was so easy ....  NAT !

I need NAt enabled on one policy only on both sides! ( ipsec->lan ) , now the system are replying whitout problem. Fortinet support found that!

387
0 Kudos
wmichael
Staff
Staff
In response to supercato

Created on ‎10-21-2024 12:22 PM

That's great to hear.  With NAT enabled on the policies the traffic must be matching phase2 of the tunnel now.

384
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.