Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
OrtizJorge97
New Contributor

Created on ‎12-10-2024 04:53 PM

Fortigate AWS VPN Site to Site with RUT951 is up, but communication not bidirectional on sites.

I have a site to site vpn mounted with my private subnet (10.0.1.0/24) and Teltonika router RUT951 subnet (192.168.10.0/24) which is connected to internet through dial up (SIM Card Telcel). The site to site is up and successfully running on phase1 and phase2 selectors..... But I canNOT ping or telnet from server in private net to the router RUT951 itself nor any device behind the router.

But I am able to do ping or telnet successfully from router RUT951 to server in private net.

 

From Fortigate CLI tried to do ping on 192.168.10.1, but no luck.

My guess is the issue should be on the firewall of the router RUT951, but I am new on this so I need help.

 

I have both policies allowing all access from RUT951 -> PRIVATE NET and PRIVATE NET -> RUT951 like below:

 

PRIVATE NET -> RUT951 Policy (This one does not work if doing ping or telnet disabling or enabling NAT, same result).

 

RUT951 -> PRIVATE NET (This one works perfect i can do ping or telnet)

Screenshot 2024-12-10 at 5.37.51 p.m..png

 

Static Routes

Screenshot 2024-12-10 at 5.39.57 p.m..png

 

IPSEC TUNNEL SITE TO SITE SUCCESS STATUS.

Screenshot 2024-12-10 at 5.44.48 p.m..png

 

More context:

Fortigate in a VM in AWS.

Private subnet as 10.0.1.0/24 where private server resides.

Public facing subnet 10.0.0.0/24.

My Teltonika RUT951 router subnet 192.168.10.0/24 (Internet access through SIM Card Telcel, not WAN as such).

RUT951 router ip address 192.168.10.1

650
0 Kudos
1 Solution
dingjerry_FTNT
Staff
Staff

Created on ‎12-10-2024 05:12 PM

Hi @OrtizJorge97 ,

 

Please specify the source IP for Ping on FGT:

 

execute ping-options source x.x.x.x  // x.x.x.x is the IP assigned to port2

execute ping 192.168.10.1

Regards,

Jerry

View solution in original post

500
25 REPLIES 25
Sudarsan
New Contributor II

Created on ‎12-10-2024 05:03 PM

Hi,

 

From the above information you have provided i could see NAT is enable in the security policy. Disable the NAT in the policy and clear the session. Then check. 

Sudarsan Babu
Sudarsan Babu
301
OrtizJorge97
New Contributor
In response to Sudarsan

Created on ‎12-10-2024 05:13 PM

Could you give me more details on what you mean on "clear session", like clearing browser session ?

293
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to OrtizJorge97

Created on ‎12-10-2024 05:15 PM

Hi @OrtizJorge97 ,

 

You may run the following CLI commands to clear the sessions:

 

diag sys session filter proto 1

diag sys session clear

Regards,

Jerry
286
OrtizJorge97
New Contributor
In response to Sudarsan

Created on ‎12-10-2024 05:34 PM

Disabled NAT for policy on PRIVATE NET -> RUT951 and cleared session in second picture, then did a ping, but no luck :(

NAT disabled PRIVATE NET -> RUT951 POLICY RULENAT disabled PRIVATE NET -> RUT951 POLICY RULE

 

Cleared session and ping on router ip

Screenshot 2024-12-10 at 6.25.54 p.m..png

 

Ping from server in the private subnet to router, but no luck 

 

279
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎12-10-2024 05:12 PM

Hi @OrtizJorge97 ,

 

Please specify the source IP for Ping on FGT:

 

execute ping-options source x.x.x.x  // x.x.x.x is the IP assigned to port2

execute ping 192.168.10.1

Regards,

Jerry
501
OrtizJorge97
New Contributor
In response to dingjerry_FTNT

Created on ‎12-10-2024 05:45 PM Edited on ‎12-10-2024 05:45 PM

Looks like my router is responding and also devices behind itScreenshot 2024-12-10 at 6.40.39 p.m..png

it is weird that from my server in the private net (interface port2 10.0.1.10), it is not responding the ping

274
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to OrtizJorge97

Created on ‎12-10-2024 06:04 PM

Hi @OrtizJorge97 ,

 

Please run this CLI command and then reproduce the issue from your server in the private net:

 

diag sniffer packet any 'icmp and host 192.168.10.1' 4

Regards,

Jerry
225
0 Kudos
OrtizJorge97
New Contributor
In response to dingjerry_FTNT

Created on ‎12-10-2024 07:05 PM Edited on ‎12-10-2024 07:06 PM

Hi @dingjerry_FTNT ,

This is the output for 

diag sniffer packet any 'icmp and host 192.168.10.1' 4

 

Nothing displayed here after doing ping from server in private net

Screenshot 2024-12-10 at 8.01.36 p.m..png

 

and This is from my private server aws.

Screenshot 2024-12-10 at 8.02.37 p.m..png

 

just as more context, this is my routing table on private net Screenshot 2024-12-10 at 8.03.45 p.m..png

 

Run first diag sniffer packet any 'icmp and host 192.168.10.1' 4, then did ping from private server in private subnet.

203
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to OrtizJorge97

Created on ‎12-10-2024 07:09 PM

Hi @OrtizJorge97 ,

 

No outputs at all. It means the Ping from the private server did not come to FGT port2 at all.

 

On the private server, please make sure that the default gateway is pointing to FGT port2/10.0.1.10

Regards,

Jerry
194
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.