Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itc
New Contributor II

Created on ‎02-10-2024 02:01 AM

GRE Tunel not working after 7.4.1 > 7.4.3

Hi

My GRE tunel connection is not working after upgrade FortiOS from 7.4.1 > 7.4.3.

Forti shows, that connection is UP but I have no access  to network. 

Checked policies, diagnosed connection and everything looks fine.

Any idea what to check next? How to monitor?

 

Best regards,

Rafal

Labels:
2753
0 Kudos
25 REPLIES 25
AEK
SuperUser
SuperUser
In response to Deltaman

Created on ‎02-15-2024 01:00 AM

Another interesting piece of the puzzle. Can you try remove the GRE interface and create it again the reinsert the route?

Also can you share gre interface properties:

show full sys interface greX

And routing DB:

get router info routing-table  (share only relevant entries)

AEK
AEK
935
hbac
Staff
Staff
In response to Deltaman

Created on ‎02-14-2024 06:51 AM

Hi @Deltaman,

 

Are you using IP pool in the firewall policy of GRE tunnel? 

 

Regards, 

982
Deltaman
New Contributor II
In response to hbac

Created on ‎02-15-2024 12:25 AM Edited on ‎02-15-2024 12:33 AM

No, just 1 public IP on my PPPOE interface. (NATted on interface without the use of an IP pool)

 

I use NAT because my GRE tunnel comes from a VDOM via VDOM link.

943
0 Kudos
Kangming
Staff
Staff
In response to Deltaman

Created on ‎03-11-2024 02:24 PM

What model is your FGT? Can you share the configuration file or ticket id?

 

Thanks

Kangming

620
itc
New Contributor II

Created on ‎02-14-2024 05:13 AM

After lamost 7h with Fortinet Suppoert on hands in my case none of above worked and end-up with conclusion: bug moved to Enginers to wrok it out, and meanwhile downgrade to 7.4.1.:

------------------------------------

anti-spoof check failed,drop

------------------------------------

Log entry causes problems and no one have any idea, for now, WHY.
Wait.. Fortinet: We are developing 7.4.4 - wait... 
 
No solution for this so far...
If any changes came up, I will let You all know.
 
Best regards
 

 

985
AEK
SuperUser
SuperUser
In response to itc

Created on ‎02-14-2024 06:46 AM

@itc, thanks for sharing

anti-spoof check fail should mean FG has no route back to the sending IP. This consolidates @Deltaman 's observation that GRE route not added to routing table.

In that case, adding manually the route should be a good workaround.

AEK
AEK
977
hbac
Staff
Staff
In response to itc

Created on ‎02-14-2024 06:54 AM

@itc,

 

If you are staying on 7.4.1, please make sure to disable SSLVPN to as it is vulnerable. https://www.fortiguard.com/psirt/FG-IR-24-015

 

Regards, 

972
kaskipl
New Contributor II

Created on ‎03-07-2024 01:52 AM

Hello

 

Does anyone know when the GRE problem will be fixed approximately?

 

Regards,

677
0 Kudos
Kangming
Staff
Staff

Created on ‎03-11-2024 02:23 PM

What model is your FGT? Can you share the configuration file or ticket id?

 

Thanks

Kangming

622
kaskipl
New Contributor II
In response to Kangming

Created on ‎03-11-2024 10:31 PM Edited on ‎03-11-2024 10:34 PM

Hello Kangming

 

My FG is FGVM64, I have the same problem as @infor1.


After updating to 7.4.3 due to the vulnerability in SSLVPN, the logs
are showing: "anti-spoof check failed,drop"


None of the solutions found worked.


Local support provided information similar to that obtained by @itc.

 

I'm still patiently waiting for the new FortiOS to solve this.
Hence my question if anyone already knows an approximate term.

 

Regards,

598
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.