Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Moxeq
New Contributor II

Created on ‎12-25-2023 10:50 AM

Hub and Spoke VPN issue

Hello Guys.

 

I'm facing issue with the Hub and Spoke topology showed in the picture, I added Spoke1 to newly to the topology and I can ping from any device behind the spokes subnets to the subnet behind the spoke1 but not the reverse!

I can ping from (172.16.11.2) behind Spoke1 to (10.11.22.14) behind the Hub.

But, I can not ping from (172.16.11.2) behind Spoke1 to (172.16.6.28) behind Spoke3 (the reverse ping working!).

the funniest thing is that another IP from the same subnet is pingable! 

when I try to ping (172.16.6.233) it just works fine. 

Any idea? HubANDspokeimage.png

 

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
Labels:
1046
0 Kudos
1 Solution
Moxeq
New Contributor II

Created on ‎12-27-2023 09:34 PM

Hi All,

 

the issue is resolved, but I did a work around, I enabled NAT on the outgoing policy on Spoke1

 

all the other spokes and the hub working without NAT enabled.

 

something bad happened in the routing when it goes out from spoke1 to the other spokes, I did not figure it out yet.

 

If any one has an idea please share it here.

 

Thx

MoX, Cybersecurity Engineer

View solution in original post

MoX, Cybersecurity Engineer
961
0 Kudos
3 REPLIES 3
dbu
Staff
Staff

Created on ‎12-25-2023 03:37 PM Edited on ‎12-25-2023 03:38 PM

Hi @Moxeq ,

Analyzing the provided there is no routing or configuration issue since you are able to ping another IP from same subnet. I would advise to have a look at the configuration of the device which is not reachable. (Ping the gateway and than ping the spoke 1 subnet)

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
1018
0 Kudos
adimailig
Staff
Staff

Created on ‎12-25-2023 04:23 PM Edited on ‎12-25-2023 04:25 PM

As per the behaviour it seems ping is not allowed on destination device 172.16.6.28.
To further confirm that traffic is being received and forwarded by Spoke3 Fortigate, kindly run packet capture (sniffer) or debug flow. 
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Also please share traceroute to check where the traffic stops.

Best Regards,

Arnold Dimailig
TAC Engineer
1010
0 Kudos
Moxeq
New Contributor II

Created on ‎12-27-2023 09:34 PM

Hi All,

 

the issue is resolved, but I did a work around, I enabled NAT on the outgoing policy on Spoke1

 

all the other spokes and the hub working without NAT enabled.

 

something bad happened in the routing when it goes out from spoke1 to the other spokes, I did not figure it out yet.

 

If any one has an idea please share it here.

 

Thx

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
962
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.