Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
itc
New Contributor II

GRE Tunel not working after 7.4.1 > 7.4.3

Hi

My GRE tunel connection is not working after upgrade FortiOS from 7.4.1 > 7.4.3.

Forti shows, that connection is UP but I have no access  to network. 

Checked policies, diagnosed connection and everything looks fine.

Any idea what to check next? How to monitor?

 

Best regards,

Rafal

36 REPLIES 36
itc
New Contributor II

I tried to upgrade sugested path and direct from my to 7.4.4.. and none worked for me... 

 

Kangming
Staff
Staff

diag sys gre list

 

  RX packets:2669, TX packets:1592, TX carrier_err:0 collisions:3719

 

Can you see the collisions increasing?


It is recommended to capture packets:
GRE:

# diagnose sniffer packet any "proto 47" 4 0 l
# diagnose sniffer packet any "x.x.x.x and icmp" 4 0 l

Thanks

Kangming

itc
New Contributor II

result

#diagnose sniffer packet any "icmp" 4 0 l

forti-gre-ping.png

 

192.168.1.25 - local PC

192.168.8.3 - device behind GRE

GRE tunel is UP, in GRE tunel we have IPSec - also UP.

I can ping but I get no response from ICMP.

 

When nothing changed, and I go back to 7.4.1 - ping and all connections are working fine.

 

My debug:

#diag debug flow filter addr 192.168.8.
#diag debug flow filter proto
#diag debug flow trace start 10
#diag debug flow show function-name enabl

#diag debug console timestamp enabl
#diag debug en

------- RESULT ------------

2024-06-02 09:51:35 id=65308 trace_id=123 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 217.153.10.135:61596->192.168.8.3:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=61596, seq=56027."
2024-06-02 09:51:35 id=65308 trace_id=123 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d06ec, original direction"
2024-06-02 09:51:35 id=65308 trace_id=123 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CoXXXXX, tun_id=0.0.0.0"
2024-06-02 09:51:35 id=65308 trace_id=123 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel ComXXXX, tun_id=212.xxx.xxx, vrf 0"
2024-06-02 09:51:35 id=65308 trace_id=123 func=ipsec_common_output4 line=901 msg="No matching IPsec selector, drop"
2024-06-02 09:51:36 id=65308 trace_id=124 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.8.3:6xxxx->10.xx.xx.:0) tun_id=212.x.x.x from gre_plus. type=0, code=0, id=61597, seq=55959."
2024-06-02 09:51:36 id=65308 trace_id=124 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, reply direction"
2024-06-02 09:51:36 id=65308 trace_id=124 func=ipsec_input4 line=281 msg="anti-spoof check failed, drop"
di2024-06-02 09:51:36 id=65308 trace_id=125 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 10.x.x.x:xxxx->192.168.8.3:xxx) tun_id=0.0.0.0 from local. type=8, code=0, id=61597, seq=55960."
2024-06-02 09:51:36 id=65308 trace_id=125 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, original direction"
2024-06-02 09:51:36 id=65308 trace_id=125 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Coxx, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=125 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-XXX, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=125 func=esp_output4 line=876 msg="IPsec encrypt/auth"
2024-06-02 09:51:36 id=65308 trace_id=125 func=ipsec_output_finish line=666 msg="send to 217.x.x.x via intf-wan1"
2024-06-02 09:51:36 id=65308 trace_id=126 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 217.xx.xx.xx->192.168.8.3:xx) tun_id=0.0.0.0 from local. type=8, code=0, id=61599, seq=56028."
2024-06-02 09:51:36 id=65308 trace_id=126 func=init_ip_session_common line=6063 msg="allocate a new session-036d0adc"
2024-06-02 09:51:36 id=65308 trace_id=126 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CoXXXX, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=126 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-to-Plus, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=126 func=ipsec_common_output4 line=901 msg="No matching IPsec selector, drop"
2024-06-02 09:51:36 id=65308 trace_id=127 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.8.3:xxx->10.x.x.x:0) tun_id=212.x.x.x from gre_plus. type=0, code=0, id=61597, seq=55960."
2024-06-02 09:51:36 id=65308 trace_id=127 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, reply direction"
2024-06-02 09:51:36 id=65308 trace_id=127 func=ipsec_input4 line=281 msg="anti-spoof check failed, drop"
s2024-06-02 09:51:36 id=65308 trace_id=128 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.1.25:1->192.168.8.3:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=546."
2024-06-02 09:51:36 id=65308 trace_id=128 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-0363dece, original direction"
2024-06-02 09:51:36 id=65308 trace_id=128 func=npu_handle_session44 line=1224 msg="Trying to offloading session from lan to gre_plus, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000101"
2024-06-02 09:51:36 id=65308 trace_id=128 func=fw_forward_dirty_handler line=442 msg="state=00010204, state2=00000005, npu_state=00000101"
2024-06-02 09:51:36 id=65308 trace_id=128 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Com-to-Plus, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=128 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-to-Plus, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=128 func=esp_output4 line=876 msg="IPsec encrypt/auth"
2024-06-02 09:51:36 id=65308 trace_id=128 func=ipsec_output_finish line=666 msg="send to 217.x.x.x via intf-wan1"

 

========================

gate # show full system settings | grep asym
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable


gate # show full | grep src-check
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check disable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set strict-src-check disable

 

=======================

 

MAIN PROBLEM

"anti-spoof check failed, drop" 

lso
New Contributor

did you (or TAC) resolve  the problem? because i've have the same issue 

infor1
New Contributor II

7.4.4 unfortunately tunnel gre still doesn't work, what lower firmware works with gre and with secure with vpn-ssl.


it's too bad that fortinet hasn't solved the problem yet

Kangming

Hi info1,

It is recommended to submit a ticket or provide more information.
The problem in this post mainly focuses on the problem of collisions:3719 in diag sys gre list, which has been fixed in V7.4.5GA.

 

You can capture packets, disable np offload, adjust MTU, or adjust TCP_MSS or other information to determine the specific problem.

Thanks

Kangming

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors