Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPSec tunnel probes received targeting WAN interfa...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec tunnel probes received targeting WAN interface dropped
Hi,
I have a remote site A (SonicWall NSA) connected to site B (FortiGate) with IPSec tunnel. Site A is sending load balancing probes (over the tunnel) to site B, but it's targeting the WAN interface IP of site A. Traffic arrives on my tunnel interface at site B. Note that site A's probes are implicit and cannot be edited to target one of my local IPs on the local site. On the receiving site the FortiGate drops the traffic due to strict RPF, message as in logs below contains "reverse path check fail, drop". I tried setting up a DNAT with Virtual IP and got pass the initial above error, but still could not get the firewall policy to trigger correctly. When I enable below CLI bash stops working for some reason, so I suspect something is not right. Any idea if this is the right approach and what I should look at? Thnks.
Policies are:
vip
config firewall vip
edit "vpn-ahg-hub-probe-vip"
set uuid 3e958d92-4f6b-51f0-67e8-xxx
set extip 217.91.x.x
set mappedip "192.168.10.1" --> local LAN interface
set extintf "any"
next
end
firewall:
edit 24
set status enable
set name "TEST"
set uuid 20025a9c-4f6e-51f0-1a3d-xxx
set srcintf "virtual-vpn-to-hub-link"
set dstintf "lan"
set action accept
set srcaddr "PubIP 169.255.x.x"
set dstaddr "vpn-ahg-hub-probe-vip"
set schedule "always"
set service "PING"
next
log before vip :
id=20085 trace_id=2531 func=print_pkt_detail line=5957 msg="vd-root:0 received a packet(proto=50, 169.255.x.x:0->217.91.x.x:0) tun_id=0.0.0.0 from ppp2. "
id=20085 trace_id=2532 func=print_pkt_detail line=5957 msg="vd-root:0 received a packet(proto=50, 169.255.x.x:0->217.91.x.x:0) tun_id=0.0.0.0 from ppp2. "
id=20085 trace_id=2533 func=print_pkt_detail line=5957 msg="vd-root:0 received a packet(proto=50, 169.255.x.x:0->217.91.x.x:0) tun_id=0.0.0.0 from ppp2. "
id=20085 trace_id=2534 func=print_pkt_detail line=5957 msg="vd-root:0 received a packet(proto=1, 169.255.x.x:64222->217.91.x.x:2048) tun_id=169.255.x.x from HUB-V60. type=8, code=0, id=64222, seq=5031."
id=20085 trace_id=2534 func=init_ip_session_common line=6137 msg="allocate a new session-001cd75f, tun_id=169.255.x.x"
id=20085 trace_id=2534 func=ip_route_input_slow line=1704 msg="reverse path check fail, drop"
id=20085 trace_id=2534 func=ip_session_handle_no_dst line=6223 msg="trace"
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dbah01,
I found this answer. Can you tell me if it helps, please?
Your solution effectively addresses the issue by allowing ping traffic through the IPsec tunnel while blocking external pings for security. Here are some insights and considerations:
- Enable Ping on WAN Interface: This step is necessary to allow the FortiGate to respond to ping requests on the WAN interface. It's a common requirement for troubleshooting and monitoring.
- Local-In Policy Configuration:
- Allowing ping from the specific source IP (remote WAN) ensures that only trusted traffic can reach the WAN interface.
- Denying all other ping requests on the WAN interface enhances security by preventing unauthorized access. - Static Return Route: Configuring a static route for the return path ensures that responses to the ping requests are correctly routed back through the IPsec tunnel.
- Firewall Policy: Allowing ping traffic from the tunnel to the WAN interface ensures that the traffic is permitted through the firewall, completing the communication path.
- Security Considerations:
- While enabling ping on the WAN interface is necessary for this setup, ensure that other security measures are in place to protect the interface from potential threats.
- Regularly review and update firewall policies and routes to adapt to any network changes.
Your approach is sound, and the configuration steps you've taken are appropriate for the scenario. If you wish to explore alternatives, consider using more granular access controls or monitoring tools to further secure and manage the traffic.
Jean-Philippe - Fortinet Community Team
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dbah01,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Managed to resolve this issue in the following way:
1. Enabled Ping on WAN interface
2. Configure allow local-in policy to allow ping to WAN interface from within the Fortigate. Source address is the remote WAN on the other side of the IPsec tunnel.
edit 3
set uuid 3465fe5c-5203-51f0-7122-x
set intf "WAN VLAN7"
set srcaddr "PubIP_169.255.x.x"
set dstaddr "PubIP_217.91.x.x"
set action accept
set service "PING"
set schedule "always"
next
3. Configure deny local-in policy on WAN interface to block external ping probes for security
edit 4
set uuid 83d0e9d8-5209-51f0-7be4-x
set intf "WAN"
set srcaddr "all"
set dstaddr "PubIP_217.91.x.x"
set service "PING"
set schedule "always"
set comments "Block external ping on this WAN"
next
4. configure static return route for 169.255.x.x to IPSec tunnel
5. configure firewall policy to allow ping traffic from tunnel to WAN interface
Once I had above in place the ping packet reply was received at the remote side. Ping probes to my WAN interface over Internet is blocked. I was trying to get this working without enabling Ping on the WAN interface itself, but this was the only way I could get this working. I'd appreciate any more insights.
Kind regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Thanks for the follow-up!
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dbah01,
I found this answer. Can you tell me if it helps, please?
Your solution effectively addresses the issue by allowing ping traffic through the IPsec tunnel while blocking external pings for security. Here are some insights and considerations:
- Enable Ping on WAN Interface: This step is necessary to allow the FortiGate to respond to ping requests on the WAN interface. It's a common requirement for troubleshooting and monitoring.
- Local-In Policy Configuration:
- Allowing ping from the specific source IP (remote WAN) ensures that only trusted traffic can reach the WAN interface.
- Denying all other ping requests on the WAN interface enhances security by preventing unauthorized access. - Static Return Route: Configuring a static route for the return path ensures that responses to the ping requests are correctly routed back through the IPsec tunnel.
- Firewall Policy: Allowing ping traffic from the tunnel to the WAN interface ensures that the traffic is permitted through the firewall, completing the communication path.
- Security Considerations:
- While enabling ping on the WAN interface is necessary for this setup, ensure that other security measures are in place to protect the interface from potential threats.
- Regularly review and update firewall policies and routes to adapt to any network changes.
Your approach is sound, and the configuration steps you've taken are appropriate for the scenario. If you wish to explore alternatives, consider using more granular access controls or monitoring tools to further secure and manage the traffic.
Jean-Philippe - Fortinet Community Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jean-Phillipe,
There is one flaw with my solution. The static routes are now also routing my HTTPS management traffic to the IPSec tunnel interface. I removed the static route and tried using a policy route for ICMP traffic only, but the policy route does not get hit at all. Any idea on this?
config router policy
edit 10
unset input-device
set src 0.0.0.0/0
set dst 169.255.x.x/32
set protocol 1
set gateway 10.0.0.8
set output-device "HUB-V60"
next
end
Labels
-
FortiGate
10,483 -
FortiClient
2,128 -
FortiManager
882 -
5.2
687 -
FortiAnalyzer
672 -
5.4
638 -
FortiSwitch
575 -
FortiAP
557 -
FortiClient EMS
551 -
6.0
416 -
IPsec
403 -
FortiMail
371 -
SSL-VPN
370 -
5.6
362 -
FortiNAC
277 -
6.2
251 -
FortiWeb
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
190 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
123 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
65 -
Authentication
64 -
Certificate
61 -
RADIUS
58 -
LDAP
57 -
SSO
54 -
FortiSandbox
53 -
FortiLink
53 -
FortiExtender
51 -
NAT
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
42 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
API
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSOAR
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
FortiRecorder
11 -
Users
11 -
Port policy
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
Authentication rule and scheme
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2522 | |
| 1347 | |
| 794 | |
| 639 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.