Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pieciaq
New Contributor III

Created on ‎12-21-2021 02:53 AM Edited on ‎12-21-2021 03:25 AM

IPSec tunnel up (phase 1 and 2) but no Outgoing Data

Hi all,

got configured IPSec tunnel it is up (phase 1 and 2) but no Outgoing Data.

Policy from Zone (with vlan10 in it) to VPN tunnel configured, Static Route (with subnet I try to reach, and VPN interface configured) also.

When Ping from computer with vlan10 I see deny and hit policy 0 in FAZ.

 

What is the best practice to check why traffic is not hitting this tunnel or policy?

P.S I have access only to my side of tunnel.

P.S II. Is is possible that when my part of the tunnel is configured ok, policy and route also but on the other side of the tunnel something is missing tunnel will show up on 2 phases but will send no data to the tunnel?

What's bother me is that there is O B in Outgoing data.

FGT OS. 6.4.6

Pieciaq
Labels:
8134
0 Kudos
1 Solution
pieciaq
New Contributor III
In response to Toshi_Esumi

Created on ‎12-23-2021 12:24 AM

Toshi_Esumi thanks for all your efort. Analyzing debug flow, starting to check why it is droping on policy and find this post: 

https://community.fortinet.com/t5/Fortinet-Forum/msg-quot-iprope-in-check-check-failed-on-policy-0-d...

 

 

I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy

Pieciaq

View solution in original post

7992
0 Kudos
12 REPLIES 12
amouawad
Staff
Staff

Created on ‎12-21-2021 06:40 PM

If it's hitting policy 0 (deny all) then the problem is on the FGT side not the other side.

 

Do you have a route in the FortiGate for the subnet you're trying to reach to go out through the VPN interface?

6712
0 Kudos
pieciaq
New Contributor III

Created on ‎12-21-2021 10:56 PM

Yes Sir, got Static Route with VPN interface na subnet I want to reach.

Make some debug flow and notice that address with subnet I try to ping got route via root, I think it should be VPN tunnel name there, what's can causing this problem?

 

id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-10.55.10.51 via root"

Pieciaq
6701
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to pieciaq

Created on ‎12-22-2021 09:58 AM

What was in the next line after "find a route:" in the flow debug? Was it the "Denied by forward policy check (policy 0)"?

 

Toshi

6650
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎12-22-2021 10:05 AM

And, I have some doubt about the status of the tunnel. Can you share the output of "get vpn ipsec tun name <phase1_name>" after modifying/masking some sensitive info?

6645
0 Kudos
pieciaq
New Contributor III
In response to Toshi_Esumi

Created on ‎12-22-2021 12:08 PM

Tunnel configuration seems ok:

 

get vpn ipsec tunnel name TUNNEL

gateway
name: 'TUNNEL'
type: route-based
local-gateway: xxx.xxx.xxx.xxx:0 (static)
remote-gateway: yyy.yyy.yyy.yyy:0 (static)
mode: ike-v1
interface: 'port1' (9)
rx packets: 0 bytes: 0 errors: 0
tx packets: 0 bytes: 0 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'Phase1'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.5.1/255.255.255.255:0
dst: 0:10.56.yy.yy/255.255.255.0:0
SA
lifetime/rekey: 3600/707
mtu: 1438
tx-esp-seq: 1
replay: enabled
qat: 0
inbound
spi: 1ba9b6db
enc: aes-cb 5b5b4532927d24a15f84141f42164d39
auth: sha1 fbb3244bde10c709405785bbf168487807761773
outbound
spi: bacd23d5
enc: aes-cb 8e4e8f52bccf097ba6ba014a8562217d
auth: sha1 3c13468121dc7c8183b6d24e127cd08dd358fe06
NPU acceleration: none
selectors
name: 'Phase2'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.6.0/255.255.255.0:0
dst: 0:10.56.yy.yy/255.255.255.0:0
SA
lifetime/rekey: 3600/710
mtu: 1438
tx-esp-seq: 1
replay: enabled
qat: 0
inbound
spi: 1ba9b6dc
enc: aes-cb 8caac5f1b3f185ee9229b4c1cf07ae06
auth: sha1 7a187db64dea41fc443e50bfc78236930b7ab26f
outbound
spi: 774ea32b
enc: aes-cb 04e5f2aad62f00a468760ce21b1d210f
auth: sha1 0b91283b340826c9102154abc2363fa6782468f0
NPU acceleration: none

Pieciaq
6627
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to pieciaq

Created on ‎12-22-2021 12:17 PM

So, 10.56.y.0/24 is the destination subnet on the other end of the tunnel. Then why does the flow debug show 10.56.yy.yy as its GW? Does the same subnet exist on the local side?

6619
0 Kudos
pieciaq
New Contributor III
In response to Toshi_Esumi

Created on ‎12-23-2021 12:24 AM

Toshi_Esumi thanks for all your efort. Analyzing debug flow, starting to check why it is droping on policy and find this post: 

https://community.fortinet.com/t5/Fortinet-Forum/msg-quot-iprope-in-check-check-failed-on-policy-0-d...

 

 

I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy

Pieciaq
7993
0 Kudos
Toshi_Esumi
Esteemed Contributor III
In response to pieciaq

Created on ‎12-23-2021 08:01 AM

I think you already found where it was configured (in VIPs?). But easiest way to find this kind of issue is to just do "show | grep -f "10.56.y"" at the top command line hierarchy.

6587
0 Kudos
pieciaq
New Contributor III
In response to Toshi_Esumi

Created on ‎12-22-2021 12:00 PM

Rest look's like this:

id=20085 trace_id=1 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.0.xx.xx:1->10.56.yy.yy:2048) from VLAN2. type=8, code=0, id=1, seq=8656."
id=20085 trace_id=1 func=init_ip_session_common line=5913 msg="allocate a new session-5cba7027"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-10.56.yy.yy via root"
id=20085 trace_id=1 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"

Pieciaq
6633
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.