Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- Lacework
- FortiAppSec Cloud
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPSec VPN:dialin works for 1 ping only (SOLVED)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec VPN:dialin works for 1 ping only (SOLVED)
Hello fellows,
I' ve set up a dial-in IPSec VPN from my FG-50B to a remote FG-80C which has a fixed IP. I use aggressive mode with PSK. Both sides use interface mode.
192.168.234.1 | tunnel | (ext. 217.92.xxx.yyy, int: 192.168.10.0/24)
The tunnel comes up OK.
Now when I ping from local FG to remote FG only the very first ping packet will return (with a reasonable return time), all subsequent packets are discarded. This will only happen when the tunnel has not been up before. While the tunnel is up, no packets at all will pass.
I cannot see anything strange while debugging (' diag deb app ike' , ' diag deb flow' ). The return route gets inserted OK as far as I can tell from the flow output. Even setting a static route on the remote FG (so that the dial-in network becomes known) does not help.
It looks like in the moment the route get established the very first packet slips through; while the route exists, nothing else will pass.
Does anybody have a clue what I am missing here?
Ede
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now when I ping from local FG to remote FG only the very first ping packet will return (with a reasonable return time), all subsequent packets are discarded. This will only happen when the tunnel has not been up before. While the tunnel is up, no packets at all will pass.it seems that there' s a strange alive route rounding there. If you keep the tunnel down, could you reach 192.168.10.x' s IPs some way? That' s could match your above description. What about ' get router info routing-table all' CLI command output? (with and/or tunnel dropped) Can you see something strange there?
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello Abel,
nice to hear from you. This is a difficult one.
Here is the routing table before and after the tunnel-up:
before tunnel-up:
gate # get router info routing-table all
S* 0.0.0.0/0 [1/0] via 217.0.118.44, ppp0
C 91.17.164.191/32 is directly connected, ppp0
S xxx.yyy.48.0/21 [2/0] is directly connected, MPImF, [0/50]
S 192.168.10.0/24 [2/0] is directly connected, K-B, [0/50]
S 192.168.40.0/24 [2/0] is directly connected, MVMA
S 192.168.123.0/24 [2/0] is directly connected, af_berlin, [0/50]
C 192.168.234.0/24 is directly connected, internal
C 217.0.118.44/32 is directly connected, ppp0
tunnel up:
gate # exe ping 192.168.10.5
PING 192.168.10.5 (192.168.10.5): 56 data bytes
64 bytes from 192.168.10.5: icmp_seq=1 ttl=255 time=74.8 ms
Timeout ...
Timeout ...
Timeout ...
Timeout ...
--- 192.168.10.5 ping statistics ---
5 packets transmitted, 1 packets received, 80% packet loss
round-trip min/avg/max = 74.8/74.8/74.8 ms
after tunnel_up:
gate # get router info routing-table all
S* 0.0.0.0/0 [1/0] via 217.0.118.44, ppp0
C 91.17.164.191/32 is directly connected, ppp0
S xxx.yyy.48.0/21 [2/0] is directly connected, MPImF, [0/50]
S 192.168.10.0/24 [2/0] is directly connected, K-B, [0/50]
S 192.168.40.0/24 [2/0] is directly connected, MVMA
S 192.168.123.0/24 [2/0] is directly connected, af_berlin, [0/50]
C 192.168.234.0/24 is directly connected, internal
C 217.0.118.44/32 is directly connected, ppp0
gate # diag ip route list (partially)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.234.0/24 pref=192.168.234.1 gwy=0.0.0.0 dev=3(internal)
tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.10.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=15(K-B)
So, mainly I don' ' t see any difference. In interface mode, VPN gateways show up as ' directly connected' so I don' t need a static route here. Only if I wanted sessions originating at the remote end.
Consequently I have not configured a static route back to 192.168.234.0/24 at the remote end. Would you?
As to the idea about multiple paths: I don' t see any way to accomplish this as the remote LAN is a private LAN not mentioned elsewhere in the local firewall. There is a PPTP dialup VPN in addition which is not used at the moment...would my Windows box be influenced by this?
Ede
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, progress of some sort:
if I setup a FortiClient profile on my notebook and connect from home I get in! To connect, I have to give my notebook an IP from the remote LAN, e.g. 192.168.10.190.
And now I can see a direct route back (on the remote FG):
K-B # get router info routing-table all
S* 0.0.0.0/0 [5/0] via 217.5.98.25, ppp0
C 192.168.10.0/24 is directly connected, internal
S 192.168.10.190/32 [1/0] is directly connected, BEDV_0
C 217.5.98.25/32 is directly connected, ppp0
C 217.92.177.190/32 is directly connected, ppp0
where " BEDV_0" is the VPN tunnel end.
How can I translate this into the firewall config?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run a traceroute from local to remote and watch where the traffic goes. If you have interface mode tunnels, you need to define a static route down the tunnel to the remote end subnet(s). In policy mode, it' s done automatically, but only for the next hop subnet.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK will check that but have to make a break for 12 hours now. Thanks so far. I' ll be back.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
traceroute will die all the way long, local and remote. At the local end, there is a static route pointing the remote LAN to the IPSec interface. I do see the back route in the routing table of the remote FG.
How can I verify that the reply packets are routed correctly? I guess I cannot sniff on the VPN interface as it doesn' t have an IP address.
Any thoughts?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How far does it get? Does it die at the FGT?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, traceroute tends to conceal the situation a bit. What I see from packet sniffs and flow traces is that the first ping packet forces the tunnel UP, but gets dropped because the SA is not yet established. The second ping GETS TROUGH and is replied, just as expected. All subsequent pings are discarded somewhere. They will never show up at the remote end (sniff), traceroute shows ' all stars' .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, Fortinet support finally has resolved this issue and I' d like to share my experience with others that might run into this trap:
there is a new global parameter in v4.0 called " check-protocol-header" :
(from CLI Guide)
" check-protocol-header {loose | strict}
Select the level of checking performed on protocol headers.
default: loose"
And of course, I set it to " strict" . Well, one effect of re-calculating the header checksum is that it will prohibit IPSec traffic - " cannot be used if Fortigate is used as IPSec VPN endpoint" .
Not one word in the docs about this. This issue prevented an implementation for 11 days. Yee-haw.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,772 -
FortiClient
1,782 -
5.2
801 -
FortiManager
739 -
5.4
639 -
FortiAnalyzer
565 -
FortiSwitch
479 -
Fortiap
475 -
FortiClient EMS
437 -
6.0
416 -
5.6
362 -
FortiMail
323 -
SSL-VPN
253 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
214 -
FortiWeb
210 -
5.0
196 -
FortiNAC
193 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
108 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
86 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
57 -
High Availability
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
FortiExtender
45 -
DNS
45 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
NAT
36 -
Certificate
36 -
FortiGate v5.4
35 -
Radius
35 -
SAML
35 -
FortiSwitch v6.4
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiGate-VM
22 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1741 | |
| 1109 | |
| 753 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.