Hello,
Simple debug flow should give you more information what is happening and why the traffic is not working.
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
Doesnt work :(
First, use the destination IP 192.168.1.12 for the filter then don't specify protocol #.
Then you might need to disable ASIC offloading with "set auto-asic-offload diable" on the policy ID 4 and 5. Don't forget to re-enable after your test. It would affect its performance.
Toshi
this is the output
As it's showing at the top, it's going into the tunnel FJBE-FJM. This means the other end of the tunnel is dropping your packets at least for 192.168.1.12. Check the other end.
Toshi
How? I'm new with fortigate. You can check the other output from other IP if you want.
As I said, looks like the ip 192.168.1.12 come out through the different interface
and this is the output from IP who works fine
looks like the ip 192.168.1.12 come out through the different interface.
but the routes are ok...
The working one from 192.168.140.253 to 192.168.11.106 is, at least, not going to FJBE-FJM tunnel as the debug result is showing.
While non-working one, which is sourced from 172.31.254.2 to 192.168.1.12 showing what I would expect when a packet is going into a tunnel.
Even if you don't know how to read the sequence, at least you can read below:
"enter IPsec interface-FJBE-FJM"
Are those source subnets included in the phase2 network selectors? To run a ping test from the FGT itself, you likely need to set the source with "exe ping-option source" to match the selectors.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1752 | |
1115 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.