Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pieciaq
New Contributor III

Created on ‎12-21-2021 02:53 AM Edited on ‎12-21-2021 03:25 AM

IPSec tunnel up (phase 1 and 2) but no Outgoing Data

Hi all,

got configured IPSec tunnel it is up (phase 1 and 2) but no Outgoing Data.

Policy from Zone (with vlan10 in it) to VPN tunnel configured, Static Route (with subnet I try to reach, and VPN interface configured) also.

When Ping from computer with vlan10 I see deny and hit policy 0 in FAZ.

 

What is the best practice to check why traffic is not hitting this tunnel or policy?

P.S I have access only to my side of tunnel.

P.S II. Is is possible that when my part of the tunnel is configured ok, policy and route also but on the other side of the tunnel something is missing tunnel will show up on 2 phases but will send no data to the tunnel?

What's bother me is that there is O B in Outgoing data.

FGT OS. 6.4.6

Piotr$
Piotr$
Labels:
11031
0 Kudos
1 Solution
pieciaq
New Contributor III
In response to Toshi_Esumi

Created on ‎12-23-2021 12:24 AM

Toshi_Esumi thanks for all your efort. Analyzing debug flow, starting to check why it is droping on policy and find this post: 

https://community.fortinet.com/t5/Fortinet-Forum/msg-quot-iprope-in-check-check-failed-on-policy-0-d...

 

 

I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy

Piotr$

View solution in original post

Piotr$
10889
0 Kudos
12 REPLIES 12
pieciaq
New Contributor III
In response to Toshi_Esumi

Created on ‎12-22-2021 12:07 PM

It is like this:

id=20085 trace_id=1 func=fw_local_in_handler line=435 msg="iprope_in_check() check failed on policy 0, drop"

Piotr$
Piotr$
1850
0 Kudos
Debbie_FTNT
Staff
Staff

Created on ‎12-22-2021 01:12 AM

Hey pieciaq,

to clarify - you have a static route configured via VPN tunnel?

-> the gateway you included above, 10.55.10.51, is that the correct gateway reachable through the tunnel?

You also have a policy from a zone (of which your vlan10 interface is a member) to the tunnel?

-> have you checked the policy details for the following:

1. it allows ICMP

2. the source/destination addresses match your traffic

 

You can use the 'Policy Lookup' tool in the policy table to determine if you have a matching policy in place (to verify that your ping matches into the configured zone->IPSec policy):

Debbie_FTNT_0-1640164299645.png

 

Hope this helps :)
Cheers!

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
1902
0 Kudos
pieciaq
New Contributor III

Created on ‎12-22-2021 03:10 AM

Thanks a lot for your help, 

 

yes I check Policy Lookup, when I choose source,(computer IP from I Ping), destination target IP (computer IP behind tunnel), Protocol specify and protocol number 1 (equivalent of ICMP) it show me route with my tunnel interface, so think here is ok.

So if tunnel is up (all phases), show good route, it can be only problem with policy?

Piotr$
Piotr$
1878
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.