i'm trying to fix the following comunication between:
Config VLAN-OBIS-DMZ:
SS-01 (root) # show system interface VLAN-OBIS-DMZ
config system interface
edit "VLAN-OBIS-DMZ"
set vdom "root"
set ip 192.168.77.1 255.255.255.0
set allowaccess ping https http
set device-identification enable
set role dmz
set snmp-index 91
set interface "STACKSCALE"
set vlanid 3017
next
end
Config router info:
SS-01 (root) # get router info routing-table details 192.168.0.102
Routing table for VRF=0
Routing entry for 192.168.0.0/22
Known via "static", distance 10, metric 0, best
* directly connected, IPSEC-OBISPADO
Situation:
2 networks
192.168.77.0/24 DMZ with netscalers
192.168.0.0/22
We want comunicate bidirectionaly
> 192.168.77.0/24 <--> 192.168.0.0/22
For the comunication we have a fortigate with an IPsec Tunnel up.
I'm trying to ping from:
> 1. 192.168.77.2 --> 192.168.0.102
> 2. 192.168.0.102 --> 192.168.77.2
In the debug we have:
id=20085 trace_id=312 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.77.2:27575->192.168.0.102:2048) from VLAN-OBIS-DMZ. type=8, code=0, id=27575, seq=72."
id=20085 trace_id=312 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00398da0, original direction"
id=20085 trace_id=312 func=npu_handle_session44 line=1143 msg="Trying to offloading session from VLAN-OBIS-DMZ to IPSEC-OBISPADO, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01000000"
id=20085 trace_id=312 func=fw_forward_dirty_handler line=449 msg="state=00010200, state2=00000000, npu_state=01000000"
id=20085 trace_id=312 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.77.2->10.10.10.1:27575"
id=20085 trace_id=312 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-IPSEC-OBISPADO"
id=20085 trace_id=312 func=ipsec_common_output4 line=876 msg="No matching IPsec selector, drop"
id=20085 trace_id=313 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.77.2:27575->192.168.0.102:2048) from VLAN-OBIS-DMZ. type=8, code=0, id=27575, seq=73."
id=20085 trace_id=313 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00398da0, original direction"
id=20085 trace_id=313 func=npu_handle_session44 line=1143 msg="Trying to offloading session from VLAN-OBIS-DMZ to IPSEC-OBISPADO, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01000000"
id=20085 trace_id=313 func=fw_forward_dirty_handler line=449 msg="state=00010200, state2=00000000, npu_state=01000000"
id=20085 trace_id=313 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.77.2->10.10.10.1:27575"
id=20085 trace_id=313 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-IPSEC-OBISPADO"
id=20085 trace_id=313 func=ipsec_common_output4 line=876 msg="No matching IPsec selector, drop"
id=20085 trace_id=314 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 192.168.77.2:27575->192.168.0.102:2048) from VLAN-OBIS-DMZ. type=8, code=0, id=27575, seq=74."
id=20085 trace_id=314 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-00398da0, original direction"
id=20085 trace_id=314 func=npu_handle_session44 line=1143 msg="Trying to offloading session from VLAN-OBIS-DMZ to IPSEC-OBISPADO, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x01000000"
id=20085 trace_id=314 func=fw_forward_dirty_handler line=449 msg="state=00010200, state2=00000000, npu_state=01000000"
id=20085 trace_id=314 func=__ip_session_run_tuple line=3241 msg="SNAT 192.168.77.2->10.10.10.1:27575"
id=20085 trace_id=314 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-IPSEC-OBISPADO"
id=20085 trace_id=314 func=ipsec_common_output4 line=876 msg="No matching IPsec selector, drop"
Anyone have an idea why?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi JLopezM22,
From the debug we can see that there is SNAT involved "SNAT 192.168.77.2->10.10.10.1:27575" so traffic will be sourced with IP address 10.10.10.1.
Is this IP or subnet configured in under the phase2 selectors?
Created on 07-06-2022 09:48 AM Edited on 07-06-2022 09:49 AM
Thanks for your reply
Yes i have configured the following in the phase2:
local address: 10.58.152.0/24
remote address: 192.168.0.0/24
the snat is 10.10.10.1 is the physical dmz interface and is disabled.
Can you please clarify the statement "the snat is 10.10.10.1 is the physical dmz interface and is disabled"?
As we see in the debug flow the source of the traffic is 10.10.10.1 and, based on the configuration that subnet is not present in the phase2 configuration. Can you add it and see if it works? Also @Toshi_Esumi's observation is correct. Why is there a static route for the same prefix over the tunnel?
I mean, the snat to 10.10.10.1 is the physic dmz interface and is disables on the fgt.
The static route, was a misstake now solved forgot delete it :)
I saw your earlier post below and felt something is quite off for your network setting.
https://community.fortinet.com/t5/Fortinet-Forum/error-reverse-path-check-fail-drop/td-p/216782
And now you changed a subnet or adding a new subnet to be reachable over the IPsec?
Whatever.... so on this SS-01 FGT you have 192.168.77.0/24(VLAN 3017) on "STACKSCALE" interface locally. Then why do you have a static route for the same subnet toward the IPSec tunnel " IPSEC-OBISPADO"? The static route you need to have toward the tunnel is for the remote subnet, in your description above it's 192.168.0.0/22.
Toshi
Created on 07-06-2022 10:08 AM Edited on 07-06-2022 10:08 AM
Thanks for your reply toshi,
The 192.168.77.0 was a test static route that i must delete.
I already have the rule
So you're now closing this post and going back to the original one with 10.58.156.0/24 on this SS-01 FGT?
Toshi
About my last post, finally we restore a backup and works for one issue.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.