Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aresblade
New Contributor

Routing between vpn tunnels

Hi all

 

I have this problem

 

i have 2 vpn tunnels on one Fortigate the external interface is wan1 for both

 

vpn1 --- interface ---wan1

vpn2----interface-----wan2

 

both vpn are working and i can reach a vm on both sides from the lan interface

 

lan ---- vpn1-----ok working.   vm1 ping

lan----vpn2--------ok working  vm2 ping

 

now i have on both vpn ends a vm i need to connect vm1 to vm2

vm1 ping fortigate lan interface

vm2 ping fortigate lan interface

 

i cannot ping vm1 from vm2 and viceversa

i have setup routing and firewall policies, maybe i miss something

 

please help

thanks

1 Solution
sjoshi

On fortigate on prem

0.195505 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
0.195534 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request >> the traffic is leaving out of the tunnel interface

but the same icmp request is not being received on the azure FGT end

can you verify quick mode selector is correct?
it could potential be esp block on the ISP side

Let us know if this helps.
Salon Raj Joshi

View solution in original post

10 REPLIES 10
Toshi_Esumi
SuperUser
SuperUser

There are three things to check at all three parties. 1) routing, 2) policies, and 3) phase2 network selectors. Are you sure the selectors on both VPNs include [vm1 subnet]<->[vm2 subnet]?

Also both vm sides need to know routing into the tunnel to get to the other vm.

 

Toshi

dingjerry_FTNT

Hi @aresblade ,

 

Always run the debug flow commands first to tell why the packets were being dropped.

 

Please check this KB article and try the steps in the Debug Flow section:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

 

Regards,

Jerry
sjoshi
Staff
Staff

Hi aresblade,

 

collect the pcap on both the firewall

diag sniff packet any 'host x.x.x.x and y.y.y.y and icmp' 4 0 l >> where x and y is src and dst ip

verify if the subnets are allowed in quick mode selectors

Let us know if this helps.
Salon Raj Joshi
aresblade
New Contributor

HI thank you all for the tips, after some troubleshooting, i have found this:

traffica from vm in azure is going trought the fw fortigate on azure i see ip from port 2 in , and out to the vpn tunnel interface but no reply, so the out from azure works.

gcp side i see on the fortigate onprem where gcp tunnel is connected that the gcp vm ip comes in and out to the azure vpn tunnel, but no reply.

bot vm can ping the onprem fortigate on the lan interface, i have all the routing on both sides gcp 

 

on the onprem fortigate i have a route to gcp trought the gcp tunnel, and a route to azure trought the azure vpn tunnel

gcp has route to azure

azure has route to gcp

 

i think the problem is on the fortigate on prem that need to route the two vpn tunnels

 

ping from gcp to azure is logged on the on prem fortigate

i see it in and out, but ping from azure to gcp is not loggend on prem but on the fortigate in azure

I'm stuck, i don't know where to look for troubleshoot

 

 

sjoshi

Hi aresblade,

 

If you can run the packet capture simultaneously on both the FGT whiling initiating the ping can give some insightful output 

Let us know if this helps.
Salon Raj Joshi
dingjerry_FTNT

Hi @aresblade ,

 

Please run the debug flow commands on FGT.  The outputs will tell you why the packets are dropped/denied.

Regards,

Jerry
aresblade
New Contributor

this is the log from fortigate on prem

the ping is from gcp vm to azure vm

gcp ip is 10.20.0.2

azure ip is 172.16.4.

FortiHome # diagnose sniffer packet any "(host 172.16.4.4 and host 10.20.0.2) and icmp" 4
interfaces=[any]
filters=[(host 172.16.4.4 and host 10.20.0.2) and icmp]
0.195505 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
0.195534 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request
5.204783 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
5.204818 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request
10.196411 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
10.196438 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request

this is the log on the azure fortigate 

 i ping from the azure vm to gcp vm

fortigate-FGT # diagnose sniffer packet any "(host 172.16.4.4 and host 10.20.0.2) and icmp" 4
Using Original Sniffing Mode
interfaces=[any]
filters=[(host 172.16.4.4 and host 10.20.0.2) and icmp]
3.818607 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
3.818624 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
8.806086 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
8.806103 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
13.816910 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
13.816927 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
18.826174 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
18.826190 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
23.822916 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
23.822933 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
28.824937 port2 in 172.16.4.4 -> 10.20.0.2: icmp: echo request
28.824953 HemlabFGT out 172.16.4.4 -> 10.20.0.2: icmp: echo request
^C
12 packets received by filter
0 packets dropped by kernel

fortigate-FGT #

 

 

6 packets received by filter
0 packets dropped by kernel

FortiHome #

 

 

Toshi_Esumi

As you can see, the ping (icmp request) packets come in to this FGT via port2, not via AzureFGT (VPN tunnel interface?). There seem to be two parallel paths between this FGT and Azure FGT.
Also the same issue is seen on the other side. Two paths with gcplab and HemlabFGT(VPN tunnel interface?).

Toshi

sjoshi

On fortigate on prem

0.195505 gcplab in 10.20.0.2 -> 172.16.4.4: icmp: echo request
0.195534 AzureFGT out 10.20.0.2 -> 172.16.4.4: icmp: echo request >> the traffic is leaving out of the tunnel interface

but the same icmp request is not being received on the azure FGT end

can you verify quick mode selector is correct?
it could potential be esp block on the ISP side

Let us know if this helps.
Salon Raj Joshi
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors