Hi all
I have this problem
i have 2 vpn tunnels on one Fortigate the external interface is wan1 for both
vpn1 --- interface ---wan1
vpn2----interface-----wan2
both vpn are working and i can reach a vm on both sides from the lan interface
lan ---- vpn1-----ok working. vm1 ping
lan----vpn2--------ok working vm2 ping
now i have on both vpn ends a vm i need to connect vm1 to vm2
vm1 ping fortigate lan interface
vm2 ping fortigate lan interface
i cannot ping vm1 from vm2 and viceversa
i have setup routing and firewall policies, maybe i miss something
please help
thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
On fortigate on prem
0.195505 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
0.195534 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request >> the traffic is leaving out of the tunnel interface
but the same icmp request is not being received on the azure FGT end
can you verify quick mode selector is correct?
it could potential be esp block on the ISP side
There are three things to check at all three parties. 1) routing, 2) policies, and 3) phase2 network selectors. Are you sure the selectors on both VPNs include [vm1 subnet]<->[vm2 subnet]?
Also both vm sides need to know routing into the tunnel to get to the other vm.
Toshi
Hi @aresblade ,
Always run the debug flow commands first to tell why the packets were being dropped.
Please check this KB article and try the steps in the Debug Flow section:
Hi aresblade,
collect the pcap on both the firewall
diag sniff packet any 'host x.x.x.x and y.y.y.y and icmp' 4 0 l >> where x and y is src and dst ip
verify if the subnets are allowed in quick mode selectors
HI thank you all for the tips, after some troubleshooting, i have found this:
traffica from vm in azure is going trought the fw fortigate on azure i see ip from port 2 in , and out to the vpn tunnel interface but no reply, so the out from azure works.
gcp side i see on the fortigate onprem where gcp tunnel is connected that the gcp vm ip comes in and out to the azure vpn tunnel, but no reply.
bot vm can ping the onprem fortigate on the lan interface, i have all the routing on both sides gcp
on the onprem fortigate i have a route to gcp trought the gcp tunnel, and a route to azure trought the azure vpn tunnel
gcp has route to azure
azure has route to gcp
i think the problem is on the fortigate on prem that need to route the two vpn tunnels
ping from gcp to azure is logged on the on prem fortigate
i see it in and out, but ping from azure to gcp is not loggend on prem but on the fortigate in azure
I'm stuck, i don't know where to look for troubleshoot
Hi aresblade,
If you can run the packet capture simultaneously on both the FGT whiling initiating the ping can give some insightful output
Hi @aresblade ,
Please run the debug flow commands on FGT. The outputs will tell you why the packets are dropped/denied.
this is the log from fortigate on prem
the ping is from gcp vm to azure vm
gcp ip is 10.20.0.2
azure ip is 172.16.4.
FortiHome # diagnose sniffer packet any "(host 172.16.4.4 and host 10.20.0.2) and icmp" 4
interfaces=[any]
filters=[(host 172.16.4.4 and host 10.20.0.2) and icmp]
0.195505 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
0.195534 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request
5.204783 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
5.204818 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request
10.196411 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
10.196438 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request
this is the log on the azure fortigate
i ping from the azure vm to gcp vm
fortigate-FGT # diagnose sniffer packet any "(host 172.16.4.4 and host 10.20.0.2) and icmp" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[(host 172.16.4.4 and host 10.20.0.2) and icmp]
3.818607 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
3.818624 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
8.806086 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
8.806103 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
13.816910 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
13.816927 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
18.826174 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
18.826190 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
23.822916 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
23.822933 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
28.824937 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
28.824953 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
^C
12 packets received by filter
0 packets dropped by kernel
fortigate-FGT #
6 packets received by filter
0 packets dropped by kernel
FortiHome #
As you can see, the ping (icmp request) packets come in to this FGT via port2, not via AzureFGT (VPN tunnel interface?). There seem to be two parallel paths between this FGT and Azure FGT.
Also the same issue is seen on the other side. Two paths with gcplab and HemlabFGT(VPN tunnel interface?).
Toshi
On fortigate on prem
0.195505 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
0.195534 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request >> the traffic is leaving out of the tunnel interface
but the same icmp request is not being received on the azure FGT end
can you verify quick mode selector is correct?
it could potential be esp block on the ISP side
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.