Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPresence
- FortiPortal
- FortiProxy
- FortiRecon
- FortiSRA
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- IPSec tunnel up (phase 1 and 2) but no Outgoing Da...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec tunnel up (phase 1 and 2) but no Outgoing Data
Hi all,
got configured IPSec tunnel it is up (phase 1 and 2) but no Outgoing Data.
Policy from Zone (with vlan10 in it) to VPN tunnel configured, Static Route (with subnet I try to reach, and VPN interface configured) also.
When Ping from computer with vlan10 I see deny and hit policy 0 in FAZ.
What is the best practice to check why traffic is not hitting this tunnel or policy?
P.S I have access only to my side of tunnel.
P.S II. Is is possible that when my part of the tunnel is configured ok, policy and route also but on the other side of the tunnel something is missing tunnel will show up on 2 phases but will send no data to the tunnel?
What's bother me is that there is O B in Outgoing data.
FGT OS. 6.4.6
Piotr$
Solved! Go to Solution.
Piotr$
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Toshi_Esumi thanks for all your efort. Analyzing debug flow, starting to check why it is droping on policy and find this post:
I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy
Piotr$
Piotr$
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's hitting policy 0 (deny all) then the problem is on the FGT side not the other side.
Do you have a route in the FortiGate for the subnet you're trying to reach to go out through the VPN interface?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Sir, got Static Route with VPN interface na subnet I want to reach.
Make some debug flow and notice that address with subnet I try to ping got route via root, I think it should be VPN tunnel name there, what's can causing this problem?
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-10.55.10.51 via root"
Piotr$
Piotr$
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What was in the next line after "find a route:" in the flow debug? Was it the "Denied by forward policy check (policy 0)"?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And, I have some doubt about the status of the tunnel. Can you share the output of "get vpn ipsec tun name <phase1_name>" after modifying/masking some sensitive info?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tunnel configuration seems ok:
get vpn ipsec tunnel name TUNNEL
gateway
name: 'TUNNEL'
type: route-based
local-gateway: xxx.xxx.xxx.xxx:0 (static)
remote-gateway: yyy.yyy.yyy.yyy:0 (static)
mode: ike-v1
interface: 'port1' (9)
rx packets: 0 bytes: 0 errors: 0
tx packets: 0 bytes: 0 errors: 0
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'Phase1'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.5.1/255.255.255.255:0
dst: 0:10.56.yy.yy/255.255.255.0:0
SA
lifetime/rekey: 3600/707
mtu: 1438
tx-esp-seq: 1
replay: enabled
qat: 0
inbound
spi: 1ba9b6db
enc: aes-cb 5b5b4532927d24a15f84141f42164d39
auth: sha1 fbb3244bde10c709405785bbf168487807761773
outbound
spi: bacd23d5
enc: aes-cb 8e4e8f52bccf097ba6ba014a8562217d
auth: sha1 3c13468121dc7c8183b6d24e127cd08dd358fe06
NPU acceleration: none
selectors
name: 'Phase2'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.6.0/255.255.255.0:0
dst: 0:10.56.yy.yy/255.255.255.0:0
SA
lifetime/rekey: 3600/710
mtu: 1438
tx-esp-seq: 1
replay: enabled
qat: 0
inbound
spi: 1ba9b6dc
enc: aes-cb 8caac5f1b3f185ee9229b4c1cf07ae06
auth: sha1 7a187db64dea41fc443e50bfc78236930b7ab26f
outbound
spi: 774ea32b
enc: aes-cb 04e5f2aad62f00a468760ce21b1d210f
auth: sha1 0b91283b340826c9102154abc2363fa6782468f0
NPU acceleration: none
Piotr$
Piotr$
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, 10.56.y.0/24 is the destination subnet on the other end of the tunnel. Then why does the flow debug show 10.56.yy.yy as its GW? Does the same subnet exist on the local side?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Toshi_Esumi thanks for all your efort. Analyzing debug flow, starting to check why it is droping on policy and find this post:
I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy
Piotr$
Piotr$
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you already found where it was configured (in VIPs?). But easiest way to find this kind of issue is to just do "show | grep -f "10.56.y"" at the top command line hierarchy.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rest look's like this:
id=20085 trace_id=1 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 10.0.xx.xx:1->10.56.yy.yy:2048) from VLAN2. type=8, code=0, id=1, seq=8656."
id=20085 trace_id=1 func=init_ip_session_common line=5913 msg="allocate a new session-5cba7027"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2621 msg="find a route: flag=80000000 gw-10.56.yy.yy via root"
id=20085 trace_id=1 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"
Piotr$
Piotr$
Labels
-
FortiGate
9,807 -
FortiClient
2,001 -
FortiManager
832 -
5.2
801 -
FortiAnalyzer
645 -
5.4
639 -
FortiSwitch
540 -
FortiAP
527 -
FortiClient EMS
501 -
6.0
416 -
5.6
362 -
FortiMail
357 -
SSL-VPN
325 -
IPsec
319 -
6.2
251 -
FortiNAC
243 -
FortiAuthenticator v5.5
234 -
FortiWeb
234 -
5.0
196 -
SD-WAN
162 -
FortiGuard
155 -
FortiAuthenticator
145 -
6.4
128 -
Firewall policy
119 -
FortiGateCloud
111 -
FortiSIEM
109 -
FortiCloud Products
107 -
FortiToken
100 -
Wireless Controller
91 -
Customer Service
84 -
FortiGate-VM
75 -
High Availability
75 -
FortiProxy
72 -
ZTNA
68 -
FortiEDR
65 -
4.0MR3
64 -
Fortivoice
64 -
VLAN
64 -
Routing
61 -
DNS
61 -
FortiADC
60 -
SAML
59 -
BGP
55 -
Authentication
54 -
RADIUS
53 -
Certificate
53 -
FortiSandbox
51 -
LDAP
50 -
NAT
49 -
FortiExtender
47 -
SSO
46 -
FortiDNS
43 -
FortiLink
42 -
FortiGate v5.4
37 -
VDOM
37 -
Application control
37 -
Logging
36 -
FortiSwitch v6.4
35 -
Interface
35 -
FortiConnect
34 -
FortiWAN
31 -
Virtual IP
31 -
Web profile
30 -
FortiPAM
29 -
FortiGate v5.2
27 -
FortiConverter
27 -
SSL SSH inspection
25 -
Traffic shaping
24 -
FortiPortal
23 -
Static route
23 -
FortiGate Cloud
22 -
SSID
22 -
Automation
22 -
FortiSwitch v6.2
20 -
SNMP
20 -
FortiMonitor
19 -
WAN optimization
19 -
OSPF
17 -
API
17 -
System settings
17 -
FortiDDoS
15 -
Admin
15 -
Security profile
15 -
FortiAP profile
15 -
Web application firewall profile
15 -
IP address management - IPAM
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
FortiCASB
14 -
IPS signature
14 -
Proxy policy
13 -
Intrusion prevention
13 -
FortiManager v4.0
12 -
Traffic shaping policy
12 -
Web rating
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Explicit proxy
11 -
Port policy
11 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Users
10 -
Traffic shaping profile
10 -
Fabric connector
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiDeceptor
9 -
FortiAnalyzer v5.0
9 -
RMA Information and Announcements
9 -
DNS filter
9 -
trunk
9 -
Fortinet Engage Partner Program
9 -
FortiCache
8 -
Antivirus profile
8 -
4.0
7 -
Application signature
7 -
Authentication rule and scheme
7 -
FortiToken Cloud
6 -
Packet capture
6 -
NAC policy
6 -
VoIP profile
6 -
FortiCarrier
5 -
FortiScan
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
Vulnerability Management
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
FortiNDR
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
File filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Virtual wire pair
1 -
FortiEdge
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2321 | |
| 1259 | |
| 772 | |
| 453 | |
| 432 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.