Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergalez
New Contributor

IP Sec Tunnel Interface is UP, but i can't do a ping to remote pc

Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.evidencia.png

22 REPLIES 22
Shivasagar
Staff
Staff

Hello,
In the firewall policy, are you logging all allowed traffic? Do you see any Rx for a particular log entry or only Tx?
You can get more information about the traffic using below debug flow with appropriate filters.
https://docs.fortinet.com/document/fortigate/6.2.3/cookbook/54688/debugging-the-packet-flow
This would show you where the packet is going.

ergalez

Hi ShivSagar, thank you. Yeah, in the firewall policy i logging all allowed traffic. With the packet debug flow i see the packet that i send in both fortigates coming in the VPN interface. But still it doesn't ping, what I notice in both fortigates on the IPSec monitor is that there is only Outgoing Data and no Incoming Data.

I don't know what else to do, and I eliminated the VPNs and recreated them, I did a flush and reset the tunnel and it remains the same :(

rwpatterson
Valued Contributor III

Make sure that the distance for the static routes for the tunnels has a smaller number for the distance than the default.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ergalez

Hi Bob, thanks for your time, I have configured the static route with the distance in 1 in both fortigates. But I still don't ping. If you have time and even if there is a cost involved, could you help me to solve this problem please

 

Static1.pngStatic2.png

Shivasagar

From the CLI, can you check the output of "get router info routing-table details <remote IP>" to view the route which is taking and check if it's the correct one?

ergalez

Hi, thank you.

I put the command get router info routing table details 192.168.1.80 in my Fortigate 60E in mi Site A.

And this is the output.

 

SiteA-SiteB.png

 

 

 

 

 

 

And in my fortigate 20C in my site B, i can't run the command so i make a packet flow and the packets entry in the VPN interface. I put the image. I ping to the remote lan in site A (192.168.15.254)

Ping SV-GT.png

 

 

 

 

 

 

Thank you for your time

 

Shivasagar
ergalez

Thank you Shivasagar for your time.

 

I tried to put NAT-T in forced in the fortigate 20c (SiteB) but doesnt allow this option :( 

 

ergalez_0-1638335557189.png

 

In mi Fortigate 60E (Site A) already put the NAT-T in forced. 

ergalez_1-1638335641279.png

But i still without do a ping. 

Shivasagar

Please collect the below sniffer output at both 20C and 60E. 

"diag sniffer packet any 'host <peer public IP>' 6 0 a"

With which you can confirm if ESP packets are arriving.

On 20C and 60E, are other IPSec tunnels working fine? If you have a 3rd device, is it possible to configure a tunnel for testing on that and see if it works?

Labels
Top Kudoed Authors