Hello everyone,

I’m currently experiencing some issues with our Site-to-Site VPN (fortiOS 7.0.12) that was previously functioning without any problems. It seems that the NAT IP pool is not properly translating the source address, which is causing issues during the Phase 2 negotiation.

As a result, the remote site is unable to establish a proper connection to exit the tunnel. I suspect that this misconfiguration might be affecting the traffic routing and connectivity.

If anyone has encountered a similar issue or has suggestions on how to troubleshoot this, I would greatly appreciate your input!

FGTAZ-VM01 # diagnose debug reset

FGTAZ-VM01 # diagnose debug flow filter clear

FGTAZ-VM01 # diagnose debug flow filter addr 192.168.110.11

FGTAZ-VM01 # diagnose debug flow show function-name enable
show function name

FGTAZ-VM01 # diagnose debug flow trace start 100

FGTAZ-VM01 # diagnose debug enable

FGTAZ-VM01 # id=20085 trace_id=2 func=print_pkt_detail line=5844 msg="vd-root:0 received a packet(proto=1, 10.0.1.6:7390->192.168.110.11:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=7390, seq=814."

id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5930 msg="Find an existing session, id-000000ed, original direction"
id=20085 trace_id=2 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=2 func=ip_session_run_all_tuple line=7156 msg="SNAT 10.0.1.6->10.0.11.17:7390"
id=20085 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface VPN-IPSEC, tun_id=0.0.0.0"
id=20085 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel VPN-IPSEC"
id=20085 trace_id=2 func=ipsec_common_output4 line=778 msg="No matching IPsec selector, drop"

Thank you in advance for your help!