Gents,
Need some help here.. I setup s2s. Tunnel is up and both p1 and p2 are up, however I encounter issue. Customer can't reach my loopback ip but loopback ip can reach and ping customer ip.
I've attached diagram and log result for everyone's information. Maybe I missed something here. Btw, it was working on 1st day and suddenly stop.
A kind support is highly appreciated.
Regards
HB
Solved! Go to Solution.
Hello @hbuenafe81 ,
Which version do you use?
Can you disable the arp reply on these VIP objects?
config firewall vip
edit <VIP_NAME>
set arp-reply disable
next
end
Hello @hbuenafe81 ,
It looks like a policy or routing issue.
Can you run these commands on cli and share the output with us? While running these commands you need to try to access your site from the customer site.
diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter daddr 10.2.202.10
diagnose debug flow trace start 100
diagnose debug enable
Hi Ozkanaltas,
Appreciate much on your prompt response, below debug result shows policy 0 drop, but i don't know why it was suddenly denying this policy while it was working before.
Your support is highly appreciated.
regards,
Created on 05-27-2024 11:52 PM Edited on 05-27-2024 11:56 PM
Hi,
Is PING/ICMP allowed in the firewall rule that allows traffic in HQ from srcintf afaqy-stc towards the dstintf port3 ?
Assuming that port3 is indeed where the destination IP can be found, this can be confirmed with: get router info routing-tables details 10.2.202.10
Hi geek,
yes, fact is that I open all service just for the troubleshooting, see below for your perusal.
Hi @hbuenafe81 ,
Do you have a static route for 10.2.202.10 on FortiGate?
Yes, note 10.2.202.10 is able to reach 172.40.0.0/16 subnets. below reverse path policy shows some traffic.
Can you run, diagnose firewall iprope flush and see if works ?
Also, a long shot but based on other topics found, is the IP 10.2.202.10 used/created in any NAT/VIP on the FGT ? Or do you have just a static route on the FGT towards it with the next hop the router that is connected on port1 ?
Thanks for the response, however i feel hesitance on executing this command as it might delete all policies I have that is on production.
Understandable, you should use that command with caution.
But in regards to my previous post/questions, is there a chance that a VIP or NAT object is configured with the IP of the router's loopback address ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.