Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mbrad
New Contributor

LAN hosts unreachable on first attempt

Connected to VPN using IPsec, Windows 10 Pro. When I try to reach any host on the remote LAN (192.168.1.1/24) from my client, the first time always fails, and then from the second attempt and on it works. If I run a tracert to any host on the remote LAN, the first time I get:

 

1  <my own adapter IP address, obtained via DHCP from my local router>  reports: Destination host unreachable.

 

So, it looks like the first time, Windows is trying to route through my local (home) network, which is also 192.168.1.1/24. If I try a second tracert to the same host, it is routed through 169.254.1.1 and reaches the correct destination on the next hop - and from then on the route to that host continues to work.

 

How do I fix this? It's driving me crazy.

1 REPLY 1
TecnetRuss
Contributor

Having the same subnet (e.g. 192.168.1.1/24) on both sides of a VPN tunnel is always problematic and something to be avoided.  Your computer has two routes to the same subnet and which route is used depends on whether these two routes have the same metric or not (the "route print" command in Windows will tell you), and you are not going to be able to talk to devices in both 192.168.1.1/24 subnets at the same time properly.

 

We always avoid using 192.168.0.x/24 and 192.168.1.x/24 subnets and only use subnets in the 10.0.0.0/8 or 172.16.0.0/12 private ranges for our FortiGate deployments to try to avoid this sort of routing conflict with these commonly used subnets on consumer/home routers.

 

The best solution is to change your subnet.

 

Russ

NSE7

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors