Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_the_Network_Guy
New Contributor III

Fortigate won' t communicate via VPN

I have a FortWifi 30D connected via IPSEC VPN to a Fortigate 60C. Behind the FWF30D is an IP-phone that one of our users has at their home office. The phone working normally and can connect to the HQ network via VPN. I have a Fortianalyzer in the same IP range as some of my VOIP equipment that the phone communicates with. I would like to get the FWF30D to send its logs to the Fortianalyzer. I can ping from the FAZ to the FWF30D' s LAN address, and to the IP-phone beyond it. I cannot trace or ping from the FWF30D (via CLI) to the FAZ. It seems like the FWF30D will not send its traffic through its own IPSEC VPN. Any ideas on how to resolve this? Specs: FWF30D v5.0,build4459 (GA) Fortigate 60C v4.0,build0672,130904 (MR3 Patch 15) (yes I know its old) FAZVM64 v5.0.7-build0321 140627 (GA) Prior to the FWF30D we had a FWF50B doing the same thing. The FWF50B died, and we replaced it with the FWF30D.
----------------(-- Jeff
----------------(-- Jeff
2 Solutions
emnoc
Esteemed Contributor III

I don' t think t he VPN policies are going to work here what you need to do to validate. 1: set the ping-option for the source address and then ping the FAZ from cli execute ping-options source y.y.y.y <---- your inside src interface 2: if not , do you have a policy? 3: have you ran diag debug flow ? Next, you know you can set the FAZ source address and also encrypt the traffic via a tunnel from the FGT to the FAZ. e.g config log fortianalyzer setting unset override set status enable <-------enable it !st set ips-archive enable set address-mode static set server 1.1.1.1 <------- here is your FAZ address set encrypt enable <------- enable this for encryption set enc-algorithm high set localid " FGTXXXXXXXXX" <-----this needs to match what your FAZ has for the device name set conn-timeout 30 set monitor-keepalive-period 15 set monitor-failure-retry-period 5 set source-ip y.y.y.y <-------try your inside address end Give that a try and see where it leads you. In our FAZ we have them stuck behind a FGT cluster and just run encrypted tunnels off the FGTs to the remote FAZ. Running the traffic thru a ipsec-vpn-tunnel , is just adding more over head. note: you need to run diag debug flow 1st to see what your fortigate is doing or not doing with the flow.

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
Jeff_the_Network_Guy
New Contributor III

I was able to ping with the internal IP address set as the ping source. I set the source IP for the Fortianalyzer settings, as well as the LocalID and everything started coming through. Thanks for the help!
----------------(-- Jeff

View solution in original post

----------------(-- Jeff
5 REPLIES 5
ShrewLWD
Contributor

Hi Jeff, Let' s rule out a few basic things quick; (You didn' t mention if your IPSEC tunnels are policy or interface) If your tunnels are interface, are you sure you have a firewall policy for each direction, and that neither are NAT' d? If your tunnels are policy based, are you sure that the IPsec firewall policy is set in a higher priority order within the polices, so that the traffic isn' t doesn' t instead go out the general outbound policy?
emnoc
Esteemed Contributor III

I don' t think t he VPN policies are going to work here what you need to do to validate. 1: set the ping-option for the source address and then ping the FAZ from cli execute ping-options source y.y.y.y <---- your inside src interface 2: if not , do you have a policy? 3: have you ran diag debug flow ? Next, you know you can set the FAZ source address and also encrypt the traffic via a tunnel from the FGT to the FAZ. e.g config log fortianalyzer setting unset override set status enable <-------enable it !st set ips-archive enable set address-mode static set server 1.1.1.1 <------- here is your FAZ address set encrypt enable <------- enable this for encryption set enc-algorithm high set localid " FGTXXXXXXXXX" <-----this needs to match what your FAZ has for the device name set conn-timeout 30 set monitor-keepalive-period 15 set monitor-failure-retry-period 5 set source-ip y.y.y.y <-------try your inside address end Give that a try and see where it leads you. In our FAZ we have them stuck behind a FGT cluster and just run encrypted tunnels off the FGTs to the remote FAZ. Running the traffic thru a ipsec-vpn-tunnel , is just adding more over head. note: you need to run diag debug flow 1st to see what your fortigate is doing or not doing with the flow.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jeff_the_Network_Guy
New Contributor III

I was able to ping with the internal IP address set as the ping source. I set the source IP for the Fortianalyzer settings, as well as the LocalID and everything started coming through. Thanks for the help!
----------------(-- Jeff
----------------(-- Jeff
Druss

We had the same issue, and this SOLVED it. Thanks!

rwpatterson
Valued Contributor III

Mark the post as helpful so others can use it too.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors