Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Remote Internet Access issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Remote Internet Access issue
Hello,
I have issue with RIA by Tunnel in case of main WAN link is down or IP SLA is not meet...
I have two sites (MAIN and SMALL) and FGTs 100F in each.
This SMALL Site has three interfaces:
WAN1 - Internet access
IPSec Tunnel0 - P2P Link between sites
IPSec Tunnel1 - use WAN1 Internet Interface
I have one SDWAN zone with all these interfaces above and two rule:
1. To_MAIN Site (use Tunnel0 -prefered, and Tunnel1) (for traffic between sites)
2.To_Internet (use WAN - prefered, and Tunnel0 when WAN int has issue or is down (IP SLA))
I have FW rule to from SMALL to MAIN site and destination interface is SDWAN zone
Issue is when WAN link has issue (or is down) and is removed from RoutingTable (thanks to SLA) - Internet don't work, I see in debug that trafic is going to tunnel0 but not work, I found also in debug that FGT is still do NAT using IP of WAN Interface , but why ?? When I disable NAT on FW rulle is working, but i need NAT when WAN link(Internet) will be up again...
LOG below:
2024-08-30 14:37:12 id=20085 trace_id=188 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.40.3.10:1->8.8.4.4:2048) tun_id=0.0.0.0 from vlan40. type=8, code=0, id=1, seq=2696."
2024-08-30 14:37:12 id=20085 trace_id=188 func=resolve_ip_tuple_fast line=5953 msg="Find an existing session, id-2d3ee778, original direction"
2024-08-30 14:37:12 id=20085 trace_id=188 func=npu_handle_session44 line=1183 msg="Trying to offloading session from vlan40 to Tunnel0-ToMain, skb.npu_flag=00000400 ses.state=00012204 ses.npu_state=0x05041008"
2024-08-30 14:37:12 id=20085 trace_id=188 func=fw_forward_dirty_handler line=410 msg="state=00012204, state2=00004001, npu_state=05041008"
2024-08-30 14:37:12 id=20085 trace_id=188 func=ids_receive line=418 msg="send to ips"
2024-08-30 14:37:12 id=20085 trace_id=188 func=__ip_session_run_tuple line=3487 msg="SNAT 10.40.3.10->169.xx.xx.10:60417"
2024-08-30 14:37:12 id=20085 trace_id=188 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Tunnel0-ToMain, tun_id=0.0.0.0"
2024-08-30 14:37:12 id=20085 trace_id=188 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Tunnel0-ToMain"
2024-08-30 14:37:12 id=20085 trace_id=188 func=esp_output4 line=844 msg="IPsec encrypt/auth"
2024-08-30 14:37:12 id=20085 trace_id=188 func=ipsec_output_finish line=544 msg="send to 10.254.254.1 via intf-internal3"
Shouldn't be used for NAT IP of the Tunnel0 Interface ??
Thanks
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello tedew,
Thank you for reaching out. If the route as you mentioned was already removed from routing table using the option to "update-static-route" in performance SLA I assume, this issue should not happen however I am suspecting the firewall still finding the route somehow and using the old route snat. Have you tried to enable "snat-route-change" as a fix:
Config sys global
set snat-route-change enable
end
Also make sure the firewall policy matching the traffic is not using an ip pool with external ip being the wan ip please.
Thank you,
saleha
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have "Use Outgoing Interface Address" in my rules.
I have checked and I don't have this option set -> set snat-route-change enable
I read this post
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Implement-Source-NAT-for-IPsec-interface/t...
And i don't have set IP in IPSec on both sides, this also could be a reason ??
config system interface
edit "Tunnel0-ToMain"
set vdom "root"
set type tunnel
set snmp-index 20
set interface "internal6"
nextSetting IP on IPSec Interface can do some impact on current sessions between sites??
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You can try setting the ipsec interface with a static ip yes I assumed you already had that enabled to use it for performance SLA. The option "snat-route-change" should still be available under the global config menu. you can try to locate it with the following command:
show full sys global | grep snat
Thank you,
saleha
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have checked, and is disabled
show full sys global | grep snat
set snat-route-change disable
Created on 09-02-2024 05:59 AM Edited on 09-02-2024 05:59 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
@saleha . so as action plan I should.
1.set snat-route-change enable
2.Set IP on both IPSec tunnels
correct ??
During setting these options i will break some connections ??
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you should plan a down time. I assume that the phase2 selectors on the ipsec tunnel at least on the direction from branch to main office is setup with default address - 0.0.0.0/0 - since it is for an RIA deployment. This is important because if you source nat the traffic the remote end of the tunnel should be able to allow this traffic based on natted address. That means the ipsec interface address should be allowed by a firewall policy as a source subnet on the remote/main office fortigate. You can test that with debug flow commands that you used to find out before to illustrate the issue:
di de flow filter addr 8.8.4.4
di de flow filter proto 1 <---- icmp protocol number
di de flow show function enable
di de flow trace strart 10
di de console time en
di de en
Thank you,
saleha
2- Firew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a similar issue before. When the WAN link drops, the FortiGate might still try to use the old NAT settings tied to that interface, causing traffic to get stuck. I fixed it by setting up a custom NAT policy that activates only when the WAN is down. This way, the device uses the correct NAT with Tunnel0.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
@Therejorty , could You please provide more details how this custom NAT policy looks like :) ??
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But I have my FGT set like this, so I think no possible to set Custom NAT...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate VM Double NAT issue in... 105 Views
- Fortigate: Local-in-policy block Access from internet... 201 Views
- FortiNAC Registration Portal Bypassed When Using... 153 Views
- Sites that use Cloudflare DNS Proxy... 420 Views
- Need assistance - dual WAN 138 Views
Labels
-
FortiGate
8,081 -
FortiClient
1,624 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
366 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
179 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.