Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
StephenL
New Contributor

Need assistance - VXLAN over IPSec - Active Directory issue - FortiOS 7.0.5

Hi,

 

I am not sure if this is a Fortinet or Windows issues, but just wanting to know if anyone else has experienced the issue I am having.


I have a working VXLAN over IPSec working. I can stand up Windows 2019 servers at both ends of the tunnel and at a basic level (ping, DNS etc all appear to be fine).  However, what I am finding is that Kerberos traffic doesn't seem to cross the VXLAN.


I can't login to a Windows server until I either


1) Disable the networking on the Windows server - Can then login with cached credentials and then re-enable networking (however this then presents issues access other network resources as server didn't complete any domain registration processes) OR

2) Stand-up an Active Directory Server on the same site as the server I want to have running at the second site - In this case all works well.

 

When I choose option 1 - I can, ping the remote Active Directory server, complete DNS queries against remote site server, but can't map Windows shares or any other task requiring authentication.

Packet captures and Wireshark traces don't show any issues.

 

If I chose option 2 - there are no problems everything works as expected, however I don't really want to have to stand-up a second Active Directory server.

Has anyone else experienced anything similar?

 

Thanks in advance.

2 REPLIES 2
scan888
Contributor

Hi, 

 

We had a similar issue over IPsec (without VXLAN). Is it possible that your Kerberos traffic are fragmented over your tunnel?

Please check that with "Package capture"-function.

 

If yes, please try with:

config vpn ipsec phase1-interface
  edit xxx
    set ip-fragmentation pre-encapsulation
  end

 

 

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
StephenL
New Contributor

Hi Scan888,

 

I checked the fragmentation and then set the ip-fragmentation but unfortunately it didn't resolve the issue.

 

Thanks for the tip anyway.

Labels
Top Kudoed Authors