Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hbuenafe81
New Contributor III

Created on ‎05-27-2024 11:16 PM

Fortigate ipsecvpn s2s policy not working but reverse path policy is OK.

Gents,

 

Need some help here.. I setup s2s. Tunnel is up and both p1 and p2 are up, however I encounter issue. Customer can't reach my loopback ip but loopback ip can reach and ping customer ip. 

 

I've attached diagram and log result for everyone's information. Maybe I missed something here. Btw, it was working on 1st day and suddenly stop. 

 

A kind support is highly appreciated.

diagram and log resultdiagram and log result

Regards

HB

TBogs
TBogs
Labels:
649
0 Kudos
1 Solution
ozkanaltas
Valued Contributor II
In response to hbuenafe81

Created on ‎05-28-2024 03:45 AM

Hello @hbuenafe81 ,

 

Which version do you use? 

 

Can you disable the arp reply on these VIP objects?

 

config firewall vip
    edit <VIP_NAME>
        set arp-reply disable
    next
end
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
505
12 REPLIES 12
ozkanaltas
Valued Contributor II

Created on ‎05-27-2024 11:23 PM

Hello @hbuenafe81 ,

 

It looks like a policy or routing issue. 

 

Can you run these commands on cli and share the output with us? While running these commands you need to try to access your site from the customer site.

 

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter daddr 10.2.202.10
diagnose debug flow trace start 100
diagnose debug enable

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
475
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎05-27-2024 11:41 PM

Hi Ozkanaltas,

 

Appreciate much on your prompt response, below debug result shows policy 0 drop, but i don't know why it was suddenly denying this policy while it was working before.

 

debug_result.png 

Your support is highly appreciated.

 

regards,

 

 

TBogs
TBogs
462
0 Kudos
funkylicious
SuperUser
SuperUser
In response to hbuenafe81

Created on ‎05-27-2024 11:52 PM Edited on ‎05-27-2024 11:56 PM

Hi,

 

Is PING/ICMP allowed in the firewall rule that allows traffic in HQ from srcintf afaqy-stc towards the dstintf port3 ?

Assuming that port3 is indeed where the destination IP can be found, this can be confirmed with: get router info routing-tables details 10.2.202.10 

---------------------------
geek
---------------------------
---------------------------geek---------------------------
451
hbuenafe81
New Contributor III
In response to funkylicious

Created on ‎05-27-2024 11:57 PM

Hi geek,

 

yes, fact is that I open all service just for the troubleshooting, see below for your perusal.

 

policys2s.png 

TBogs
TBogs
446
0 Kudos
ozkanaltas
Valued Contributor II
In response to hbuenafe81

Created on ‎05-27-2024 11:59 PM

Hi @hbuenafe81 ,

 

Do you have a static route for 10.2.202.10 on FortiGate? 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
443
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎05-28-2024 12:02 AM

Yes, note 10.2.202.10 is able to reach 172.40.0.0/16 subnets. below reverse path policy shows some traffic. 

 

policys2s.png

TBogs
TBogs
434
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎05-28-2024 12:28 AM Edited on ‎05-28-2024 12:35 AM

Can you run, diagnose firewall iprope flush and see if works ?

Also, a long shot but based on other topics found, is the IP 10.2.202.10 used/created in any NAT/VIP on the FGT ? Or do you have just a static route on the FGT towards it with the next hop the router that is connected on port1 ?

---------------------------
geek
---------------------------
---------------------------geek---------------------------
418
hbuenafe81
New Contributor III
In response to funkylicious

Created on ‎05-28-2024 01:43 AM

Thanks for the response, however i feel hesitance on executing this command as it might delete all policies I have that is on production.

TBogs
TBogs
400
0 Kudos
funkylicious
SuperUser
SuperUser
In response to hbuenafe81

Created on ‎05-28-2024 02:22 AM

Understandable, you should use that command with caution.

But in regards to my previous post/questions, is there a chance that a VIP or NAT object is configured with the IP of the router's loopback address ?

---------------------------
geek
---------------------------
---------------------------geek---------------------------
381
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.