- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate 200D (v5.6.2) IPSec VPN to AWS. Traffic ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate 200D (v5.6.2) IPSec VPN to AWS. Traffic makes it to EC2 but not back.
Hi,
I have 2 VPNs UP with AWS VPC. The VPNs are configured with failover so if one goes down the other picks up. Below we can see one VPN is up:
34.232.188.255 169.254.47.44/30 DOWN52.86.222.130 169.254.44.184/30 UP
Info:
1. When I ping from my Fortigate to the EC2, I can see that the EC2 receives the ping request and sends a reply. The reply however never makes it back through the tunnel:tcpdump output on the AWS EC2:12:50:58.923392 IP 169.254.44.186 > 192.168.241.142: ICMP echo request, id 2769612:50:58.923405 IP 192.168.241.142 > 169.254.44.186: ICMP echo reply, id 276963. 2. From the fortigate I can ping both ends of the tunnel which is obvious from the time in ms: execute ping 169.254.44.185
PING 169.254.44.185 (169.254.44.185): 56 data bytes64 bytes from 169.254.44.185: icmp_seq=0 ttl=254 time=13.0 ms64 bytes from 169.254.44.185: icmp_seq=1 ttl=254 time=13.1 ms
execute ping 169.254.44.186
PING 169.254.44.186 (169.254.44.186): 56 data bytes64 bytes from 169.254.44.186: icmp_seq=0 ttl=255 time=0.0 ms64 bytes from 169.254.44.186: icmp_seq=1 ttl=255 time=0.0 ms4. 3. From the EC2 I cannot ping either end of the tunnel.5. SSH fails in the same way. 4. We see ssh session attempts and replies which do not make it back from the EC2:
06:00:30.829303 IP 192.168.241.142.ssh > 169.254.44.186.9589: Flags [S.], seq 2689521519, ack 2166390256, win 26847, options [mss 8961,sackOK,TS val 4354044 ecr 236943444,nop,wscale 7], length 0 06:00:38.633577 IP 169.254.44.186.9589 > 192.168.241.142.ssh: Flags , seq 2166390255, win 5272, options [mss 1318,sackOK,TS val 236945544 ecr 0,nop,wscale 2], length 0
Seems that traffic from the EC2 back to the Fortigate is being blocked yet debug flow on the fortigate shows no attempts or denial:
# execute ssh 192.168.241.142 id=20085 trace_id=2273 func=print_pkt_detail line=5293 msg="vd-root received a packet(proto=6, 169.254.44.186:9589->192.168.241.142:22) from local. flag , seq 2166390255, ack 0, win 5272" id=20085 trace_id=2273 func=init_ip_session_common line=5449 msg="allocate a new session-01a8007c" id=20085 trace_id=2273 func=iprope_dnat_check line=4754 msg="in-[], out-[vpn-23766442-1]" id=20085 trace_id=2273 func=iprope_dnat_tree_check line=835 msg="len=0" id=20085 trace_id=2273 func=iprope_dnat_check line=4767 msg="result: skb_flags-00000000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=2273 func=ipsecdev_hard_start_xmit line=144 msg="enter IPsec interface-vpn-23766442-1" id=20085 trace_id=2273 func=esp_output4 line=1174 msg="IPsec encrypt/auth" id=20085 trace_id=2273 func=ipsec_output_finish line=534 msg="send to 66.162.199.129 via intf-wan1"
Any ideas would be very helpful. Please!!!
Thank you and Best Regards.
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm glad it all worked out for you in the end.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
- « Previous
-
- 1
- 2
- Next »
Related Posts
- FortiGate Forward Traffic freezes when excluding... 73 Views
- FortiGate FGT200F MTU 7.v7.4.3 build2573 (Feature) 72 Views
- SDWAN HA failover time 117 Views
- Possible memory issues with 7.2.8 378 Views
- 2 VIP with same external IPs 209 Views
Labels
-
FortiGate
6,589 -
FortiClient
1,314 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.