I am running 5.6.6 on a Fortigate 60D, I have a remote VPN client that connects to the local Fortigate and the local Fortigate already a router to router connection with our hosted network. The VPN client when trying to reach a host on the router to router connection gets the following trace:
id=20085 trace_id=931 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=356." id=20085 trace_id=931 func=init_ip_session_common line=5454 msg="allocate a new session-0028d989" id=20085 trace_id=931 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb" id=20085 trace_id=931 func=fw_forward_handler line=737 msg="Allowed by Policy-8:" id=20085 trace_id=931 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=931 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=932 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=357." id=20085 trace_id=932 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=932 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=932 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=932 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=933 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=358." id=20085 trace_id=933 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=933 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=933 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=933 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=934 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=359." id=20085 trace_id=934 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=934 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=934 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=934 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
I have no idea how to handle this. The “SA not ready” message does not make sense to me since this tunnel is up all the time. What am I missing to allow the remove VPN using to access the remote systems?
Thank You,
David Demland
Do your phase2 network selectors include this source IP 10.77.250.102?
Yes I have the following:
10.77.250.0/255.255.255.0 10.40.108.0/255.255.255.0
I also a a couple of other networks in the selectors, but they are for internal users not remote VPN users.
David
Then you have to start debugging with 1) sniffer to see how far it can get to, then 2) flow debugging to see why it's dropped. Make sure you disable asic offloading on the policies for debugging.
I have done this. The sniff shows:
SparkRouter # diagnose sniffer packet SherWeb 'host 10.40.108.12 and host 10.77.250.101' 4 500 interfaces=[SherWeb] filters=[host 10.40.108.12 and host 10.77.250.101] pcap_lookupnet: SherWeb: no IPv4 address assigned 4.211977 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request 9.051125 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request 14.044818 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request 19.052117 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request
And the flow still shows:
SparkRouter # id=20085 trace_id=959 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=269." id=20085 trace_id=959 func=init_ip_session_common line=5454 msg="allocate a new session-002bddf8" id=20085 trace_id=959 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb" id=20085 trace_id=959 func=fw_forward_handler line=737 msg="Allowed by Policy-8:" id=20085 trace_id=959 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=959 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=960 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=270." id=20085 trace_id=960 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction" id=20085 trace_id=960 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=960 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=960 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=961 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=271." id=20085 trace_id=961 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction" id=20085 trace_id=961 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=961 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=961 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=962 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=272." id=20085 trace_id=962 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction" id=20085 trace_id=962 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=962 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=962 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
Which still leaves me with the question: what does "SA is not ready yet, drop" means and is this the reason the return echo reply is not coming back?
Thank You,
David
The actual problem was that my hosting company did not set the selectors on their side. Once they got that fixed the access started to work without a problem. Thank you for your help.
David
I have a similar issue, where in I'm having a remote VPN to a fortigate 60D and RDP to any server on this Fortigate LAN network is reachable, but when the user tries to RDP to the Azure VM which is tunneled to Fortigate LAN network it is failing. Any specific document or solution to do Remote VPN and RDP into a VM on Azure cloud? Any help in this regards will be really appreciated.
Thanks,
SP
SPappa wrote:I have the same problem!I have a similar issue, where in I'm having a remote VPN to a fortigate 60D and RDP to any server on this Fortigate LAN network is reachable, but when the user tries to RDP to the Azure VM which is tunneled to Fortigate LAN network it is failing. Any specific document or solution to do Remote VPN and RDP into a VM on Azure cloud? Any help in this regards will be really appreciated.
Thanks,
SP
The ping requests are not going into the tunnel yet. The "not ready yet" regularly showed when the first packet tries to reach the other end. And it might fail but it would trigger bringing the SA up then subsequent packets would be able to use the SA like in below example at KB for a different topic.
https://kb.fortinet.com/k....do?externalID=FD31403
I suspect asic offload is somehow failing. If it's successful, the rest of trace shouldn't show up. As I mentioned disable auto-asic-offload on the set of policies as well as the tunnel config for the site-to-site vpn to see if that's the issue.
At another post someone mentioned about an off-load problem with 5.6.6 as well. The set-up was completely different though including policy-routes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.