Hello,
we have a working tunnel (up) from one location to the other.
From the remote location, the ping arrives our firewall, but it does not reply to them (they get timeout).
Our ping seems to go through our firewall, but does not arrive the remote location (we also get timeout).
Both traffic is visible in the logs.
Policys from remote subnet to local subnet are there and vise versa. At least on our location, I'm waiting for response from the remote location.
Also we have a (in my opinion) working static route for the remote subnet, pointing to the vpn-connection.
Same interface / ip is also used for a second ipsec tunnel and this one is working fine (I get icmp: echo reply)
Any ideas or troubleshooting hints?
thanks
You have to, or ask whoever managing the remote end, sniff and run IKE debug on the remote device, since the local end seems to be fine based on your description.
Toshi
Hello @Pkay983
You can run the commands mentioned below:
#di sniffer packet any "host x.x.x.x and icmp" 4 0 l
Initiate a ping from remote site to your Firewall and run the sniffer mentioned above.
x.x.x.x = src ip on remote site.
You should see tunnel In and Lan out. If you are not seeing the out packets then run the debugs below.
#di de flow filter addr x.x.x.x
#di de flow filter proto 1
#di de flow trace start 100
#di de en
Verender
Adding to my colleague's comment, also add the command:
#di de flow show function enable
That command will give you more details regarding the traffic.
I can see the packets from my firewall to the remote firewall, but only the "echo request" not the "reply"
If I take the remote host as "host IP" I can see nothing.
That is what I see, if I take my local host:
# di de flow filter addr 192.168.X.XX4
# diagnose sniffer packet any "host 192.168.X.XX4 and icmp" 4 0 1
interfaces=[any]
filters=[host 192.168.X.XX4 and icmp]
id=20085 trace_id=1 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 192.168.X.XX4:1->192.168.x.xx7:2048) tun_id=0.0.0.0 from vlan-xy. type=8, code=0, id=1, seq=16286."
id=20085 trace_id=1 func=init_ip_session_common line=6048 msg="allocate a new session-01497285, tun_id=0.0.0.0"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-REMOTEIP via vpn-XX"
id=20085 trace_id=1 func=fw_forward_handler line=881 msg="Allowed by Policy-1664:"
id=20085 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-xx, tun_id=0.0.0.0"
id=20085 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-xx"
id=20085 trace_id=1 func=esp_output4 line=844 msg="IPsec encrypt/auth"
id=20085 trace_id=1 func=ipsec_output_finish line=544 msg="send to localGWIP via intf-vlan-XX"
12.469853 vlan-xy in 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
12.469884 vpn-xx out 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
id=20085 trace_id=2 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 192.168.X.XX4:1->192.168.x.xx7:2048) tun_id=0.0.0.0 from vlan-xy. type=8, code=0, id=1, seq=16287."
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-01497285, original direction"
id=20085 trace_id=2 func=npu_handle_session44 line=1187 msg="Trying to offloading session from vlan-xy to vpn-XX, skb.npu_flag=00000400 ses.state=00050204 ses.npu_state=0x05040000"
id=20085 trace_id=2 func=fw_forward_dirty_handler line=410 msg="state=00050204, state2=00000001, npu_state=05040000"
id=20085 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-xx, tun_id=0.0.0.0"
id=20085 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-xx"
id=20085 trace_id=2 func=esp_output4 line=844 msg="IPsec encrypt/auth"
id=20085 trace_id=2 func=ipsec_output_finish line=544 msg="send to localGWIP via intf-vlan-XX"
17.441838 vlan-xy in 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
17.441855 vpn-xx out 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
id=20085 trace_id=3 func=print_pkt_detail line=5869 msg="vd-root:0 received a packet(proto=1, 192.168.X.XX4:1->192.168.x.xx7:2048) tun_id=0.0.0.0 from vlan-xy. type=8, code=0, id=1, seq=16288."
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5955 msg="Find an existing session, id-01497285, original direction"
id=20085 trace_id=3 func=npu_handle_session44 line=1187 msg="Trying to offloading session from vlan-xy to vpn-XX, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x05040000"
id=20085 trace_id=3 func=ip_session_install_npu_session line=346 msg="npu session installation succeeded"
id=20085 trace_id=3 func=fw_forward_dirty_handler line=410 msg="state=00010204, state2=00000001, npu_state=05000400"
id=20085 trace_id=3 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-xx, tun_id=0.0.0.0"
id=20085 trace_id=3 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-XX"
id=20085 trace_id=3 func=esp_output4 line=844 msg="IPsec encrypt/auth"
id=20085 trace_id=3 func=ipsec_output_finish line=544 msg="send to localGWIP via intf-vlan-XX"
22.438110 vlan-xy in 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
22.438131 vpn-xx out 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
Only in the firewall log (forti analyzer) there I can see incoming pings from remote to my firewall - local subnet.
Hi @Pkay983,
Based on the outputs you provided:
id=20085 trace_id=1 func=fw_forward_handler line=881 msg="Allowed by Policy-1664:"
id=20085 trace_id=1 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface vpn-xx, tun_id=0.0.0.0"
id=20085 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel vpn-xx"
id=20085 trace_id=1 func=esp_output4 line=844 msg="IPsec encrypt/auth"
id=20085 trace_id=1 func=ipsec_output_finish line=544 msg="send to localGWIP via intf-vlan-XX"
12.469853 vlan-xy in 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
12.469884 vpn-xx out 192.168.X.XX4 -> 192.168.x.xx7: icmp: echo request
The Ping packets left FortiGate and entered into the correct IPSec VPN "vpn-xx".
The remote peer of the IPSec VPN has to do the same troubleshooting on this local FortiGate. I hope that the remote peer is a FortiGate device as well.
Hi @Pkay983 ,
You need to run sniffer packet capture on FGT to see the ICMP echo request and echo reply packets to tell whether it is FGT blocking the traffic or not:
diag sniffer packet any 'host x.x.x.x and icmp' 4 // x.x.x.x can be the destination IP, or the source IP (but you need to make sure that there is no NAT in the firewall policy on your FGT)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.