Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
teoblue
New Contributor

IPSEC VPN Fortigate 80E to 60E up but no ping/traffic

hi everyone,

I have config ipsec vpn between 2 fortigates 80E & 60E (2 fortigates behind ISP Router), VPN status is up but i cannot ping to LAN network and i cannot see traffic . I configed IPSEC VPN route-based .  What's kind of information to provide for you to help this problem ? Please help me, thanks admin & everyone. 

3 Solutions
Sudarsan_Babu

Routing seems to normal. 

did you config policy properly & place at top 

 

Also check helpful commands 

 

From 80E

 

diag debug flow filter addr X.X.X.X ( 192.168.3.X )

diag debug flow show console enable

diag debug flow show function-name enable

diag debug console timestamp enable

diag debug flow trace start 999

diag debug enable 

 

Same as 60E  & share. 

 

 

 

Regards,

Sudarsan Babu P

View solution in original post

Regards, Sudarsan Babu P
rwpatterson
Valued Contributor III

When you defined the routes to the remote LANs, did you make the distance lower than your default? This needs to be in place or the traffic may wander out the default. Sniff the traffic to confirm that it is using the correct path.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Sudarsan_Babu

Did you configure policy properly & place them in top list.  I think some problem in policy.  

 

Regards,

Sudarsan Babu p

 

Regards,

Sudarsan Babu P

View solution in original post

Regards, Sudarsan Babu P
8 REPLIES 8
Sudarsan_Babu
Contributor

Hello, 

 

Can you check the subnet which you add in address object & also uncheck split tunnel. 

 

Regards,

Sudarsan Babu P

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
teoblue

thanks Babu,

i have subnet at 80E : 192.168.5.0/24 , 60E: 192.168.3.0/24 . i also uncheck split tunnel . i have an connection diagrams at attach file.

I see at log at VPN Events : level : notice , action: Tunnel stats, Message: IPsec tunnel statistics . 

 

Please help me more, thanks a lot . 

 

Links image of connection diagrams : https://photos.app.goo.gl/PL1PDqI8axSITZvd2 

Sudarsan_Babu

Can you check  in cli & share 

 

get router info routing-table all. 

 

 

 

 

 

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
teoblue

 

At 60E: 

FGT60E1 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.1.1, wan1 C 192.168.1.0/24 is directly connected, wan1 C 192.168.3.0/24 is directly connected, internal S 192.168.5.0/24 [10/0] is directly connected, To_HL

 

At 80E: 

FG80E # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default

S* 0.0.0.0/0 [10/0] via 192.168.1.1, wan1 C 192.168.1.0/24 is directly connected, wan1 S 192.168.3.0/24 [10/0] is directly connected, To_MCTRD C 192.168.5.0/24 is directly connected, lan

 

 Please see this and help me :) 

 

Sudarsan_Babu

Routing seems to normal. 

did you config policy properly & place at top 

 

Also check helpful commands 

 

From 80E

 

diag debug flow filter addr X.X.X.X ( 192.168.3.X )

diag debug flow show console enable

diag debug flow show function-name enable

diag debug console timestamp enable

diag debug flow trace start 999

diag debug enable 

 

Same as 60E  & share. 

 

 

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
rwpatterson
Valued Contributor III

When you defined the routes to the remote LANs, did you make the distance lower than your default? This needs to be in place or the traffic may wander out the default. Sniff the traffic to confirm that it is using the correct path.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
teoblue

@Sudarsan Babu : i try check by commands you give me but no log data in debug . I also try debug by cli command at 80E: diag debub app ike -1 and have a result at attach file named "log debug 80E.txt" . Please see this and give me an advice to resolve this problem , thanks .

 

@rwpatterson : i have config the distance is 5 (default : 10) but no result . Please give me an advice to resolve this problem , thanks . 

 

 

Sudarsan_Babu

Did you configure policy properly & place them in top list.  I think some problem in policy.  

 

Regards,

Sudarsan Babu p

 

Regards,

Sudarsan Babu P

Regards, Sudarsan Babu P
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors