IPSEC Site to Site Branch to HQ cannot ping.

CloudTechZero · ‎01-19-2025

Hi Team,

The site to site has already Up.

From HQ to Branch Okay, everything can Ping and access.

From Branch to HQ unable to ping and access.

Route and policy has done on HQ FortiGate 80F.

HQ - FortiGate 80F

BO - Sophos UTM 9

HQ subnet - 192.168.110.0

BO subnet - 192.168.1.0, 192.168.3.0

Is it possible I need to add extra Route and Policy on the Branch Sophos UTM?

CloudTechZero · ‎01-20-2025

Hi Team,

I have solved it by add another IPSEC Connection point to 192.168.1.0/24.

Thank you everyone.

kmohan · ‎01-19-2025

Hello Team,

Kinldy follow the below kb articles for troubleshooting:

Karthick

dingjerry_FTNT · ‎01-19-2025

You definitely need a firewall policy for traffic from BO to HQ.

And since Ping is working from HQ to BO, routing should be fine on FGT.

If you do have such a firewall policy already, please run the following commands to collect some debug outputs:

diag debug flow show iprope enable

diag debug flow filter proto 1

diag debug flow filter addr x.x.x.x // x.x.x.x is the IP on HQ network (192.168.110.0) you will Ping

diag debug flow trace start 20

diag debug enable

Then run a Ping to reproduce the issue. Please do not run continuous Ping.

Regards,

Jerry

CloudTechZero · ‎01-20-2025

Hi Team,

I have solved it by add another IPSEC Connection point to 192.168.1.0/24.

Thank you everyone.

Nominate a Forum Post for Knowledge Article Creation