Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
inferi
New Contributor

Fortigate static routes and policies dont't work with VPN

Hi,

I have static routes and some policies to a IP range that don't work properly in FortiGate #

Yellow works correctly but the other one doesn't.

inferi_0-1667558100059.png

inferi_2-1667558685437.png

 

 

inferi_3-1667558971424.png

inferi_4-1667558983286.png

 

8 REPLIES 8
akristof
Staff
Staff

Hello,

Simple debug flow should give you more information what is happening and why the traffic is not working.

https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow

Adrian
inferi

Doesnt work :(

inferi_0-1667572423228.png

 

Toshi_Esumi
Esteemed Contributor III

First, use the destination IP 192.168.1.12 for the filter then don't specify protocol #. 
Then you might need to disable ASIC offloading with "set auto-asic-offload diable" on the policy ID 4 and 5. Don't forget to re-enable after your test. It would affect its performance.

 

Toshi

inferi

this is the output

inferi_0-1667575825918.png

 

Toshi_Esumi
Esteemed Contributor III

As it's showing at the top, it's going into the tunnel FJBE-FJM. This means the other end of the tunnel is dropping your packets at least for 192.168.1.12. Check the other end.

 

Toshi

inferi

How? I'm new with fortigate. You can check the other output from other IP if you want.

As I said, looks like the ip 192.168.1.12 come out through the different interface

inferi

and this is the output from IP who works fine

inferi_1-1667576281198.png

 

looks like the ip 192.168.1.12 come out through the different interface.

 

but the routes are ok...

 

Toshi_Esumi
Esteemed Contributor III

The working one from 192.168.140.253 to 192.168.11.106 is, at least, not going to FJBE-FJM tunnel as the debug result is showing.


While non-working one, which is sourced from 172.31.254.2 to 192.168.1.12 showing what I would expect when a packet is going into a tunnel.

Even if you don't know how to read the sequence, at least you can read below:


"enter IPsec interface-FJBE-FJM"

 

Are those source subnets included in the phase2 network selectors? To run a ping test from the FGT itself, you likely need to set the source with "exe ping-option source" to match the selectors.

 

Toshi

Labels
Top Kudoed Authors