Hi
I have this configuration:
forticlientPC -----IPSEC1-------->DC1---------IPSEC2----------->DC2
DC1-datacenter1
DC2-datacenter2
IPSEC1-forticlient ipsec tunnel
IPSEC2-site to site permament tunnel
I use forticlient on Windows 10. When I connect with forticlient I can ping hosts in DC1, but not in DC2. IPSEC2 is a static tunnel site to site. So the packets should go via first forticlient tunnel to DC1, then throught IPSEC2 to DC2. But: I can ping from PC to hosts in DC1. I can ping from DC1 hosts to DC2 hosts. When pinging from forticlientPC -> DC2 I have this debug output at Fortigate 300D in DC1: id=20085 trace_id=477 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-09a8ce00, original direction" id=20085 trace_id=477 func=npu_handle_session44 line=1096 msg="Trying to offloading session from forticlient_26 to IPSEC2, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03000000" id=20085 trace_id=477 func=ipsecdev_hard_start_xmit line=640 msg="enter IPsec interface-IPSEC2" id=20085 trace_id=477 func=ipsec_common_output4 line=804 msg="SA is not ready yet, drop" "SA is not ready yet, drop". I googled it and found suggestion that it means that tunnel is not ready. But both tunnels are up and running! To add to confusion - after restarting fortigate 300D in DC1 it started to working for some time, and then stopped some time later... Can you point me to some direction? I'm confused by this behaviour. I use fortigate 300D, with firmware 5.6.11 (latest from 5.x).
In your phase2 for DC-to-DC do you have the forticlient traffic-selectors configured? the set src-subnet needs to have the fc client ranges at DC1 and DC2 the set dst-subnet must have this along with route.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.