Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Joseph-M
New Contributor III

Created on ‎06-20-2023 03:56 AM Edited on ‎06-20-2023 04:12 AM

IPSEC tunnels not working when specified the Local Gateway

After upgrading our FortiGate to v7.4.0 from 6.4.7 (with optional upgrade path 6.4.9 then 6.4.11 ...)

 

All our IPSEC tunnels are down and phase1 and phase2 are down. At the same time all other config seems to be in place...

2023_06_20_13_48_04_FortiGate_FortiGate_and_23_more_pages_Work_Microsoft_Edge.png

We found out that as soon as we choose local gateway "Specify" (our secondary WAN IP) not "Primary IP" the tunnel is down and no communication is happening between our and client FW (all WAN IPs are from one ISPs GW). We can ping clients IP.

 

Proposals and configuration of P1 and P2 are correct, as I mentioned as soon both sides chooses gateway (our primary IP) tunnel works. Policies are in place, traffic is accesable from both sides when tunnel is up. Routes created.

 

What could be the possible issues where to look. I tried to find similar issues on forums but no success. Would appreciate any ideas and help.

 

 

Labels:
818
0 Kudos
1 Solution
Joseph-M
New Contributor III

Created on ‎06-26-2023 03:21 AM

Ticket were created for FortiSupport.

View solution in original post

571
0 Kudos
10 REPLIES 10
srajeswaran
Staff
Staff

Created on ‎06-20-2023 04:21 AM

As per the debug there is no response from peer, since the configuration was working previously it could be related to route.

 

Can you share below output.

get router info routing-table details x.x.x.x ->peer ip

get router info kernel | grep x.x.x.x

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

679
0 Kudos
Joseph-M
New Contributor III
In response to srajeswaran

Created on ‎06-20-2023 04:31 AM

# get router info routing-table details x.x.x.x (peer IP)

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* vrf 0 x.x.x.x, via wan1

 

(output x.x.x.x shows our ISP gateway address)

-----------------

# get router info kernel | grep x.x.x.x (peer IP)

no output

670
0 Kudos
srajeswaran
Staff
Staff
In response to Joseph-M

Created on ‎06-20-2023 04:33 AM

is wan1 your VPN external interface?

Can you collect sniffer

diagnose sniffer packet any "host x.x.x.x" 4 100

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

667
0 Kudos
Joseph-M
New Contributor III
In response to srajeswaran

Created on ‎06-20-2023 04:40 AM Edited on ‎06-20-2023 04:42 AM

Yes wan1 is our external interface.

 

-------------------------

wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable

 

(description of interesting line) the unreachable timeouts

wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable

wan1 out (Primary IP) -> (Peer IP): icmp: host (Specified IP) unreachable

       strange it does send and receive UDP 500 (becouse it tries to establish the tunnel connection) but after couple incoming and outgoing packets there are icmp timeouts.


specied IP = the one WAN IP that we want to use in our IPsec configuration

573
0 Kudos
Joseph-M
New Contributor III
In response to srajeswaran

Created on ‎06-20-2023 05:08 AM

Yes WAN1 is our external interface

 

wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable

wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable

wan1 out (PrimaryIP) -> (PeerIP): icmp: host (SpecifiedIP) uncreachable

 

Specified IP is the one we want to use in our ipsec configuration 


there is som 500 packets becouse it tries to establish IPsec tunnel. 

what is interestings the ICMP timeouts.

574
0 Kudos
Joseph-M
New Contributor III
In response to srajeswaran

Created on ‎06-20-2023 05:21 AM

Yes WAN1 is our external interface
-
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
-
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out (PrimaryIP) -> (PeerIP): icmp: host (SpecifiedIP) uncreachable
-
Specified IP is the one we want to use in our ipsec configuration 
there is som 500 packets becouse it tries to establish IPsec tunnel. 
ICMP timeouts is the mystery

614
0 Kudos
Joseph-M
New Contributor III
In response to srajeswaran

Created on ‎06-20-2023 05:21 AM

Yes WAN1 is our external interface
-
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
-
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out (PrimaryIP) -> (PeerIP): icmp: host (SpecifiedIP) uncreachable
-
Specified IP is the one we want to use in our ipsec configuration 
there is som 500 packets becouse it tries to establish IPsec tunnel. 
ICMP timeouts is the mystery.

614
0 Kudos
Joseph-M
New Contributor III
In response to srajeswaran

Created on ‎06-20-2023 05:22 AM

Yes WAN1 is our external interface
-
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
-
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out (PrimaryIP) -> (PeerIP): icmp: host (SpecifiedIP) uncreachable
-
Specified IP is the one we want to use in our ipsec configuration .
there is som 500 packets becouse it tries to establish IPsec tunnel. 
ICMP timeouts is the mystery.

640
0 Kudos
Joseph-M
New Contributor III

Created on ‎06-20-2023 05:02 AM

Yes WAN1 is our external interface

 

wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 in x.x.x.x -> x.x.x.x: udp 292
wan1 out x.x.x.x.500 -> x.x.x.x: udp 292
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable
wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable

wan1 out x.x.x.x -> x.x.x.x: icmp: host x.x.x.x unreachable

wan1 out (PrimaryIP) -> (PeerIP): icmp: host (SpecifiedIP) uncreachable

 

Specified IP is the one we want to use in our ipsec configuration 


there is som 500 packets becouse it tries to establish IPsec tunnel. 

what is interestings the ICMP timeouts

574
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.