Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Chems
New Contributor

Ipsec Tunnels Issue (no traffic inbound)

Hi guys,

 

I have a 310B cluster connected with a dozen of fortigates 60/80c through IPSEC tunnels.

A lot of tunnels are UP and are traffic OK.

 

But for an unknown reason, some other tunnels remains UP, traffic is ok only by one side, the other I have 0kb in Inbound 60/80 interface. 

 

310 > 60/80 = KO

60 > 310 = OK

 

The configurations didn't change, but traffic some times doesn't work anymore.

Someone any idea ?

 

Thanks all !

 

 

11 REPLIES 11
Christopher_McMullan

Can you sniff for protocol 50 traffic, to see if payloads are making it in both directions (or not)?

 

diag sniff pack wan1 "proto 50" 4

Regards, Chris McMullan Fortinet Ottawa

Chems

From FGT 1

 

Christopher McMullan_FTNT wrote:

Can you sniff for protocol 50 traffic, to see if payloads are making it in both directions (or not)?

 

diag sniff pack wan1 "proto 50" 4

FW1 # diagnose sniffer packet wan1 "proto 50" 4
interfaces=[wan1]
filters=[proto 50]
0.645633 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
0.645716 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
0.645755 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
1.295463 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
1.309867 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
1.418372 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
2.308222 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
2.323156 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
3.322189 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
3.337118 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
3.430819 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
3.430901 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
3.430940 wan1 -- 192.168.99.254 -> 125.82.62.18: ip-proto-50 116
 
13 packets received by filter
0 packets dropped by kernel
 
FW1 #

 

 

From FGT 2

FW2 (Autre) # diagnose sniffer packet port5 "host 124.47.79.15" 4
interfaces=[port5]
filters=[host 124.47.79.15]
5.495922 port5 -- 124.47.79.15.500 -> 125.82.62.18.500: udp 92
5.496241 port5 -- 125.82.62.18.500 -> 124.47.79.15.500: udp 92
10.505199 port5 -- 124.47.79.15.500 -> 125.82.62.18.500: udp 92
10.505385 port5 -- 125.82.62.18.500 -> 124.47.79.15.500: udp 92
15.517360 port5 -- 124.47.79.15.500 -> 125.82.62.18.500: udp 92
15.517554 port5 -- 125.82.62.18.500 -> 124.47.79.15.500: udp 92
20.524145 port5 -- 124.47.79.15.500 -> 125.82.62.18.500: udp 92
20.524334 port5 -- 125.82.62.18.500 -> 124.47.79.15.500: udp 92
25.533544 port5 -- 124.47.79.15.500 -> 125.82.62.18.500: udp 92
25.533731 port5 -- 125.82.62.18.500 -> 124.47.79.15.500: udp 92
30.543820 port5 -- 124.47.79.15.500 -> 125.82.62.18.500: udp 92
30.544016 port5 -- 125.82.62.18.500 -> 124.47.79.15.500: udp 92

12 packets received by filter
0 packets dropped by kernel

FW2 (Autre) #

 

Reply packets doesn't appear ... good lead thanks

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors