Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JLopezM22
New Contributor II

Created on ‎07-06-2022 09:06 AM

Fortigate no Matching IPsec Selector error

i'm trying to fix the following comunication between:

Config VLAN-OBIS-DMZ:

 

 

Spoiler

SS-01 (root) # show system interface VLAN-OBIS-DMZ
config system interface
edit "VLAN-OBIS-DMZ"
set vdom "root"
set ip 192.168.77.1 255.255.255.0
set allowaccess ping https http
set device-identification enable
set role dmz
set snmp-index 91
set interface "STACKSCALE"
set vlanid 3017
next
end

 

 

Config router info:

Spoiler
SS-01 (root) # get router info routing-table details 192.168.77.2

Routing table for VRF=0
Routing entry for 192.168.77.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, VLAN-OBIS-DMZ

Routing entry for 192.168.77.0/24
Known via "static", distance 10, metric 0
directly connected, IPSEC-OBISPADO

SS-01 (root) # get router info routing-table details 192.168.0.102

Routing table for VRF=0
Routing entry for 192.168.0.0/22
Known via "static", distance 10, metric 0, best
* directly connected, IPSEC-OBISPADO

Situation:

2 networks

192.168.77.0/24 DMZ with netscalers
192.168.0.0/22

We want comunicate bidirectionaly

> 192.168.77.0/24 <--> 192.168.0.0/22

For the comunication we have a fortigate with an IPsec Tunnel up.

I'm trying to ping from:

> 1. 192.168.77.2 --> 192.168.0.102
> 2. 192.168.0.102 --> 192.168.77.2

 

In the debug we have:

 

 

Spoiler

id=20085 trace_id=312 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.77.2:27575->192.168.0.102:2048) from VLAN-OBIS-DMZ. type=8, code=0, id=27575, seq=72."
id=20085 trace_id=312 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00398da0, original direction"
id=20085 trace_id=312 func=npu_handle_session44 line=1143 msg="Trying to offloading session from VLAN-OBIS-DMZ to IPSEC-OBISPADO, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01000000"
id=20085 trace_id=312 func=fw_forward_dirty_handler line=449 msg="state=00010200, state2=00000000, npu_state=01000000"
id=20085 trace_id=312 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.77.2->10.10.10.1:27575"
id=20085 trace_id=312 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-IPSEC-OBISPADO"
id=20085 trace_id=312 func=ipsec_common_output4 line=876 msg="No matching IPsec selector, drop"
id=20085 trace_id=313 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.77.2:27575->192.168.0.102:2048) from VLAN-OBIS-DMZ. type=8, code=0, id=27575, seq=73."
id=20085 trace_id=313 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00398da0, original direction"
id=20085 trace_id=313 func=npu_handle_session44 line=1143 msg="Trying to offloading session from VLAN-OBIS-DMZ to IPSEC-OBISPADO, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01000000"
id=20085 trace_id=313 func=fw_forward_dirty_handler line=449 msg="state=00010200, state2=00000000, npu_state=01000000"
id=20085 trace_id=313 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.77.2->10.10.10.1:27575"
id=20085 trace_id=313 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-IPSEC-OBISPADO"
id=20085 trace_id=313 func=ipsec_common_output4 line=876 msg="No matching IPsec selector, drop"
id=20085 trace_id=314 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.77.2:27575->192.168.0.102:2048) from VLAN-OBIS-DMZ. type=8, code=0, id=27575, seq=74."
id=20085 trace_id=314 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00398da0, original direction"
id=20085 trace_id=314 func=npu_handle_session44 line=1143 msg="Trying to offloading session from VLAN-OBIS-DMZ to IPSEC-OBISPADO, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01000000"
id=20085 trace_id=314 func=fw_forward_dirty_handler line=449 msg="state=00010200, state2=00000000, npu_state=01000000"
id=20085 trace_id=314 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.77.2->10.10.10.1:27575"
id=20085 trace_id=314 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-IPSEC-OBISPADO"
id=20085 trace_id=314 func=ipsec_common_output4 line=876 msg="No matching IPsec selector, drop"

Anyone have an idea why?

 

Labels:
3634
0 Kudos
8 REPLIES 8
aionescu
Staff
Staff

Created on ‎07-06-2022 09:27 AM

Hi JLopezM22,

 

From the debug we can see that there is SNAT involved "SNAT 192.168.77.2->10.10.10.1:27575" so traffic will be sourced with IP address 10.10.10.1. 

Is this IP or subnet configured in under the phase2 selectors?

3621
JLopezM22
New Contributor II
In response to aionescu

Created on ‎07-06-2022 09:48 AM Edited on ‎07-06-2022 09:49 AM

Thanks for your reply

 

Yes i have configured the following in the phase2:

 

local address: 10.58.152.0/24

remote address: 192.168.0.0/24

 

the snat is 10.10.10.1 is the physical dmz interface and is disabled. 

3611
aionescu
Staff
Staff
In response to JLopezM22

Created on ‎07-06-2022 10:08 AM

Can you please clarify the statement "the snat is 10.10.10.1 is the physical dmz interface and is disabled"?

As we see in the debug flow the source of the traffic is 10.10.10.1 and, based on the configuration that subnet is not present in the phase2 configuration. Can you add it and see if it works? Also @Toshi_Esumi's observation is correct. Why is there a static route for the same prefix over the tunnel?

3593
0 Kudos
JLopezM22
New Contributor II
In response to aionescu

Created on ‎07-06-2022 12:11 PM

I mean, the snat to 10.10.10.1 is the physic dmz interface and is disables on the fgt. 

JLopezM22_0-1657134603778.png

 

The static route, was a misstake now solved forgot delete it :)

 

 

3577
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎07-06-2022 09:34 AM

I saw your earlier post below and felt something is quite off for your network setting.

https://community.fortinet.com/t5/Fortinet-Forum/error-reverse-path-check-fail-drop/td-p/216782

And now you changed a subnet or adding a new subnet to be reachable over the IPsec?

 

Whatever.... so on this SS-01 FGT you have 192.168.77.0/24(VLAN 3017) on "STACKSCALE" interface locally. Then why do you have a static route for the same subnet toward the IPSec tunnel " IPSEC-OBISPADO"? The static route you need to have toward the tunnel is for the remote subnet, in your description above it's 192.168.0.0/22.

 

Toshi

3618
JLopezM22
New Contributor II
In response to Toshi_Esumi

Created on ‎07-06-2022 10:08 AM Edited on ‎07-06-2022 10:08 AM

Thanks for your reply toshi, 

 

The 192.168.77.0 was a test static route that i must delete. 

 

I already have the rule

 

Spoiler
SS-01 # config vdom

SS-01 (vdom) # edit root
current vf=root:0

SS-01 (root) # config router static

SS-01 (static) # edit "19"

SS-01 (19) # show
config router static
edit 19
set dst 192.168.0.0 255.255.252.0
set device "IPSEC-OBISPADO"
next
end
3595
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to JLopezM22

Created on ‎07-06-2022 10:13 AM

So you're now closing this post and going back to the original one with 10.58.156.0/24 on this SS-01 FGT? 

 

Toshi

3590
0 Kudos
JLopezM22
New Contributor II
In response to Toshi_Esumi

Created on ‎07-06-2022 12:13 PM

About my last post, finally we restore a backup and works for one issue.

3577
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.