Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Reachability Issue Between Head Office and Bra...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reachability Issue Between Head Office and Branch IP After IPSec VPN Reconfigure
Hi,
I’m encountering a reachability issue between our Head Office and Branch Office following changes to our IP Sec VPN setup.
Specifically, the public IP of our Branch Office b-b-b-b is no longer reachable from our Head Office IP h-h-h-h. However, b-b-b-b remains accessible from other external sources, indicating that the branch connection is working outside the Head Office route.
This issue began after we deleted and reconfigured the IP Sec VPN on the Head Office firewall. Since then, the VPN tunnel fails to establish due to unreachability.
Notably
1- If I set up policy-based routing from the Head Office, I can reach b-b-b-b
2- However, with this routing, the IP Sec VPN tunnel fails to work.
3- I’ve verified that there are no deny policies, including local-in-policy, and the IP is only used in the IP Sec configuration.
Ping response from Head Office firewall:
execute ping b-b-b-b
send msg failed: 22 Invalid argument
send msg failed: 22 Invalid argument
send msg failed: 22 Invalid argument
send msg failed: 22 Invalid argument
send msg failed: 22 Invalid argument
Could you please advise on how best to proceed with diagnosing and resolving this issue?
Thanks,
Rohit K
Rohit K
Solved! Go to Solution.
Rohit K
Labels:
- Labels:
-
FortiGate
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rohitchoudhary1978 ,
1) "This issue began after we deleted and reconfigured the IP Sec VPN on the Head Office firewall."
Any reason why you deleted and reconfigured the IPSec VPN on the Head Office?
Did you delete the IPSec VPN configuration, then copy from the backup FGT config to reconfigure it again? Or how did you do it? Did you make any changes?
2) "If I set up policy-based routing from the Head Office, I can reach b-b-b-b"
Not clear what you did for this. Did the Head Office FGT have dual WAN links?
And what did you mean by policy-based routing? PBR?
Can you provide the FGT config with such a configuration? Or you copy and paste it here?
3) "execute ping b-b-b-b"
Is b-b-b-b an IP or a hostname?
Do you have VDOM enabled? If yes, where did you run this command?
Can you run this command "exe ping 8.8.8.8" and get any response?
Can you run "exe ping h-h-h-h" from the Branch Office FW and get any response?
4) Before you first saw this issue, did you make any changes to Head Office FGT, such as adding new configurations?
5) If b-b-b-b is an IP, please run the following commands on Head Office FGT:
diag debug flow show iprope enable
diag debug flow filter addr b-b-b-b
diag debug flow filter proto 1
diag debug flow trace start 10
diag debug enable
Then run Ping. Please do not run the continuous Ping.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rohitchoudhary1978
Ensure that the IPsec configuration on both the head office and branch office firewalls is correct and matches. Pay special attention to the phase 1 and phase 2 settings, including encryption, authentication, and network subnets
Check for any overlapping subnets between the head office and branch office configurations. Overlapping subnets can cause routing issues and prevent the VPN tunnel from establishing
Since policy-based routing allows reachability but breaks the VPN, review the routing table to ensure that the correct routes are in place for the VPN traffic.
Ensure that the default route or specific routes for the branch office are correctly configured on the head office firewall.
Use traceroute to determine where the connectivity issue occurs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before I read your last post about the bh route, I was thinking "routing issue".
Black hole routes are indeed a very useful tool in combination with IPsec VPNs, and Fortinet adopted this "best practise" only after many years (i.e., included this step in the VPN wizard).
But, bh routes - set up correctly - NEVER interfere with regular traffic.
The correct setup would be to set the bh routes' metric to 254. In other words, it will only be followed if there is no other route at all. 254 is the worst metric configurable (by the way, do NOT use 255! which will invalidate the metric completely).
As your original post unfortunately lacks crucial information, for instance the routing table ("get router info routing all"), we can only speculate what was happening. My guess is that "0.0.0.0" was inserted as the bh route, and that would never work correctly. Who knows.
If you want to learn more about bh routes and their usage just let me know. You should indeed recreate one to help your VPN recover faster from interruptions.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @rohitchoudhary1978 ,
1) "This issue began after we deleted and reconfigured the IP Sec VPN on the Head Office firewall."
Any reason why you deleted and reconfigured the IPSec VPN on the Head Office?
Did you delete the IPSec VPN configuration, then copy from the backup FGT config to reconfigure it again? Or how did you do it? Did you make any changes?
2) "If I set up policy-based routing from the Head Office, I can reach b-b-b-b"
Not clear what you did for this. Did the Head Office FGT have dual WAN links?
And what did you mean by policy-based routing? PBR?
Can you provide the FGT config with such a configuration? Or you copy and paste it here?
3) "execute ping b-b-b-b"
Is b-b-b-b an IP or a hostname?
Do you have VDOM enabled? If yes, where did you run this command?
Can you run this command "exe ping 8.8.8.8" and get any response?
Can you run "exe ping h-h-h-h" from the Branch Office FW and get any response?
4) Before you first saw this issue, did you make any changes to Head Office FGT, such as adding new configurations?
5) If b-b-b-b is an IP, please run the following commands on Head Office FGT:
diag debug flow show iprope enable
diag debug flow filter addr b-b-b-b
diag debug flow filter proto 1
diag debug flow trace start 10
diag debug enable
Then run Ping. Please do not run the continuous Ping.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rohitchoudhary1978
Ensure that the IPsec configuration on both the head office and branch office firewalls is correct and matches. Pay special attention to the phase 1 and phase 2 settings, including encryption, authentication, and network subnets
Check for any overlapping subnets between the head office and branch office configurations. Overlapping subnets can cause routing issues and prevent the VPN tunnel from establishing
Since policy-based routing allows reachability but breaks the VPN, review the routing table to ensure that the correct routes are in place for the VPN traffic.
Ensure that the default route or specific routes for the branch office are correctly configured on the head office firewall.
Use traceroute to determine where the connectivity issue occurs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Thanks Team. I had found that a blackhole static route was created by the automated ipsec tunnel creation earlier, and due to that only the b.b.b.b was not reachable and it works after deletion. Thanks
a lot.
Rohit K
Rohit K
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before I read your last post about the bh route, I was thinking "routing issue".
Black hole routes are indeed a very useful tool in combination with IPsec VPNs, and Fortinet adopted this "best practise" only after many years (i.e., included this step in the VPN wizard).
But, bh routes - set up correctly - NEVER interfere with regular traffic.
The correct setup would be to set the bh routes' metric to 254. In other words, it will only be followed if there is no other route at all. 254 is the worst metric configurable (by the way, do NOT use 255! which will invalidate the metric completely).
As your original post unfortunately lacks crucial information, for instance the routing table ("get router info routing all"), we can only speculate what was happening. My guess is that "0.0.0.0" was inserted as the bh route, and that would never work correctly. Who knows.
If you want to learn more about bh routes and their usage just let me know. You should indeed recreate one to help your VPN recover faster from interruptions.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Labels
-
FortiGate
10,553 -
FortiClient
2,145 -
FortiManager
889 -
5.2
687 -
FortiAnalyzer
677 -
5.4
638 -
FortiSwitch
582 -
FortiAP
559 -
FortiClient EMS
557 -
6.0
416 -
IPsec
416 -
SSL-VPN
374 -
FortiMail
371 -
5.6
362 -
FortiNAC
279 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
170 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
128 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
Routing
75 -
ZTNA
75 -
Fortivoice
72 -
SAML
71 -
DNS
71 -
VLAN
70 -
FortiEDR
68 -
FortiADC
68 -
BGP
67 -
Authentication
66 -
Certificate
65 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
45 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
41 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
33 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
API
25 -
SSID
25 -
Static route
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiDeceptor
11 -
FortiRecorder
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2572 | |
| 1365 | |
| 796 | |
| 654 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.