Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ergalez
New Contributor

Created on ‎11-24-2021 04:12 PM

IP Sec Tunnel Interface is UP, but i can't do a ping to remote pc

Hi, I have 2 fortigates a 60E and a 20C I have established the IPSec tunnels for site-to-site vpn. The tunnel in both fortigates appears to me to be up, but I cannot ping between the lan networks. I have set the static route and added the access policies. I don't know what else to do. And if I check the IPSec monitor, I see that there is incoming and outgoing traffic.evidencia.png

Labels:
16991
0 Kudos
22 REPLIES 22
ergalez
New Contributor
In response to Shivasagar

Created on ‎11-30-2021 10:07 PM

Thank so much for your support.

Here is the output of the sniffer in 60E:

ergalez_0-1638338333198.png

 

And here is the output in 20C.

ergalez_1-1638338502426.png

 

I think the ESP packets are arriving.

 

And yes in 20C are 2 more IPSec tunnels and it's working fine.

ergalez_2-1638338659131.png

 

And in the 60E are 1 more tunnel and work's fine.

ergalez_3-1638338731589.png

 

It seems that everything is fine, but I don't know what more tests I can do. I'm afraid I have no other device to test :(

7923
0 Kudos
Shivasagar
Staff
Staff
In response to ergalez

Created on ‎11-30-2021 10:22 PM

The only option I can suggest now is to disable the tunnel to bring down the connection and initiate traffic from the 60E end so the tunnel comes up using NAT-T[4500], I can see from the sniffer it's still using port 500.

7921
0 Kudos
ergalez
New Contributor
In response to Shivasagar

Created on ‎11-30-2021 10:40 PM

Thank you!

 

So what I have to do is go to:
1. IPSec monitor and bring down the tunnel or Go to Network-> Interfaces-> WAN-> Tunnel interface-> Disable

And once the tunnel is disabled, I ping from my lan network behind the fortigate 60E, right? And alone he has to get up

7920
0 Kudos
Shivasagar
Staff
Staff
In response to ergalez

Created on ‎11-30-2021 11:09 PM

You can use "diagnose vpn tunnel flush <name>" to clear the SA's from both ends. After which just initiating a ping from a machine behind 60E should bring up the tunnel.

7916
0 Kudos
ergalez
New Contributor
In response to Shivasagar

Created on ‎11-30-2021 11:27 PM

Thank you, i did the flush command in both Fortigates, but the tunnel is going up after that without i do a ping. 

 

And then i ran the sniffer command in both fortigates, but the packets still use the 500 port and not the 4500. 

diag sniffer packet any 'host <peer public ip' 6 0 a

 may i need to reset the tunnel o do it again?

7914
0 Kudos
ergalez
New Contributor
In response to Shivasagar

Created on ‎11-30-2021 10:23 PM Edited on ‎11-30-2021 10:54 PM

.

7921
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎12-01-2021 02:28 AM

Are you sure the tunnel is up competely? In Firmware prior to 6.4 the IPSec Monitor (and also the ike debug log) do not show Phase2. Since 6.4 it does show phase2 at least in IPSec Monitor.

So maybe your Phase1 came up and the tunnel is marked as up in monitor but phase2 is not up.  Unfortunately that is rather hard to debug as there is no logs for Phase2 :(

The result would be that no traffic can yet pass your tunnel...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
7916
0 Kudos
ergalez
New Contributor
In response to sw2090

Created on ‎12-01-2021 06:12 AM

Hi sw2090 thank your for your time.

 

I follow this link to troubleshooting the IPSec phases.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Troubleshooting-IPsec-VPNs/ta-p/195955?ext...

 

And if run this command in my Fortigate 60E, the status of Phase1 is established.

ergalez_0-1638367634816.png

 

And if i check the Phase 2, the SA =1 that i think the indicates IPsec SA is matching and there is traffic between the selectors

 

ergalez_1-1638367827949.png

 

I honestly don't know what else to do, I've thought about restarting the Fortigates but I'm afraid that the other VPNs that I have configured will stop working as well.

 

7914
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎12-01-2021 07:11 AM Edited on ‎12-01-2021 07:12 AM

yes it does. So Tunnel is up completely. 

Did you try to flow trace the traffic to see if it matched policies and routing is correct?

 

diag debug enable

diag debug flow filter daddr=<destinationip>

diag debug flow filter saddr=<sourceip>

diag debug flow trace start <numberofpackets>

 

that will show you what the FGT does with the traffic.

FGT uses the routing table to determine the path to the destination in Step #1

In Step #2 it looks for a matching policy. It does top down and the first match will win the packet.

If there is no policy that matches it would hit policy #0 (which is the deny everything from/to everywhere one). 

However the fact that the tunnel is up tells me that there has to be at least one policy that references it (because otherwise it would not come up). However that does not neccessarily mean that it matches your traffic...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
7911
0 Kudos
Sylvan
New Contributor

Created on ‎12-01-2021 09:08 AM

Could you please check if you are filtering the traffic that is traversing the VPN on your phase 2? If the static route is correct, if the security policies are correct, then the only thing I can think of is the phase 2 configuration. 

7911
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.