Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ddemland
New Contributor II

Remote VPN user cannot access Router to Router VPN Servers

 

I am running 5.6.6 on a Fortigate 60D, I have a remote VPN client that connects to the local Fortigate and the local Fortigate already a router to router connection with our hosted network. The VPN client when trying to reach a host on the router to router connection gets the following trace:

 

id=20085 trace_id=931 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=356." id=20085 trace_id=931 func=init_ip_session_common line=5454 msg="allocate a new session-0028d989" id=20085 trace_id=931 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb" id=20085 trace_id=931 func=fw_forward_handler line=737 msg="Allowed by Policy-8:" id=20085 trace_id=931 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=931 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=932 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=357." id=20085 trace_id=932 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=932 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=932 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=932 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=933 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=358." id=20085 trace_id=933 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=933 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=933 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=933 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=934 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=359." id=20085 trace_id=934 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction" id=20085 trace_id=934 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=934 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=934 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"

I have no idea how to handle this. The “SA not ready” message does not make sense to me since this tunnel is up all the time. What am I missing to allow the remove VPN using to access the remote systems?

 

Thank You,

 

David Demland

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

Do your phase2 network selectors include this source IP 10.77.250.102?

ddemland

Yes I have the following:

 

10.77.250.0/255.255.255.0      10.40.108.0/255.255.255.0

 

I also a a couple of other networks in the selectors, but they are for internal users not remote VPN users.

 

David

Toshi_Esumi
Esteemed Contributor III

Then you have to start debugging with 1) sniffer to see how far it can get to, then 2) flow debugging to see why it's dropped. Make sure you disable asic offloading on the policies for debugging.

ddemland
New Contributor II

I have done this. The sniff shows:

 

SparkRouter # diagnose sniffer packet SherWeb 'host 10.40.108.12 and host 10.77.250.101' 4 500 interfaces=[SherWeb] filters=[host 10.40.108.12 and host 10.77.250.101] pcap_lookupnet: SherWeb: no IPv4 address assigned 4.211977 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request 9.051125 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request 14.044818 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request 19.052117 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request

And the flow still shows:

 

SparkRouter # id=20085 trace_id=959 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=269." id=20085 trace_id=959 func=init_ip_session_common line=5454 msg="allocate a new session-002bddf8" id=20085 trace_id=959 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb" id=20085 trace_id=959 func=fw_forward_handler line=737 msg="Allowed by Policy-8:" id=20085 trace_id=959 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=959 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=960 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=270." id=20085 trace_id=960 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction" id=20085 trace_id=960 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=960 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=960 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=961 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=271." id=20085 trace_id=961 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction" id=20085 trace_id=961 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=961 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=961 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop" id=20085 trace_id=962 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=272." id=20085 trace_id=962 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction" id=20085 trace_id=962 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000" id=20085 trace_id=962 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb" id=20085 trace_id=962 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"

Which still leaves me with the question: what does "SA is not ready yet, drop" means and is this the reason the return echo reply is not coming back?

 

Thank You,

 

David

ddemland
New Contributor II

The actual problem was that my hosting company did not set the selectors on their side. Once they got that fixed the access started to work without a problem. Thank you for your help.

 

David

SPappa

I have a similar issue, where in I'm having a remote VPN to a fortigate 60D and RDP to any server on this Fortigate LAN network is reachable, but when the user tries to RDP to the Azure VM which is tunneled to Fortigate LAN network it is failing. Any specific document or solution to do Remote VPN and RDP into a VM on Azure cloud? Any help in this regards will be really appreciated.

 

Thanks,

SP

tony85
New Contributor

SPappa wrote:

I have a similar issue, where in I'm having a remote VPN to a fortigate 60D and RDP to any server on this Fortigate LAN network is reachable, but when the user tries to RDP to the Azure VM which is tunneled to Fortigate LAN network it is failing. Any specific document or solution to do Remote VPN and RDP into a VM on Azure cloud? Any help in this regards will be really appreciated.

 

Thanks,

SP

 I have the same problem!

Toshi_Esumi
Esteemed Contributor III

The ping requests are not going into the tunnel yet. The "not ready yet" regularly showed when the first packet tries to reach the other end. And it might fail but it would trigger bringing the SA up then subsequent packets would be able to use the SA like in below example at KB for a different topic.

  https://kb.fortinet.com/k....do?externalID=FD31403

I suspect asic offload is somehow failing. If it's successful, the rest of trace shouldn't show up. As I mentioned disable auto-asic-offload on the set of policies as well as the tunnel config for the site-to-site vpn to see if that's the issue.

At another post someone mentioned about an off-load problem with 5.6.6 as well. The set-up was completely different though including policy-routes.

 

Labels
Top Kudoed Authors