Hello,
I need help solving a routing problem.
HQ and Brand Fortigate FW are connected via VPN IPsec Site to Site, everything is working fine, we can ping and have access from servers and ressources LAN to LAN from both side.
I created a static route from Brand's LAN 10.0.151.0/24 to HQ's router 10.0.78.253 on Firewall Arkoon.
We host a SaaS solution with a service provider and this one to authorize the different lan to connect to the solution (France agencies + UK agency)
On our Arkoon Firewall, we have authorized the different LANs that must have access to the LAN of the SaaS solution, 192.168.100.0/24.
This works very well for all the agencies in France, except for the UK LAN with 10.0.151.0/24 addressing.
When i do tracert cmd from a computer brand's LAN 10.0.151.109, I can ping 10.0.78.253 and 10.0.78.254.
But, when I try ping or tracert with 192.168.100.20 it cannot found a route and it fails at first jump after 10.0.151.254.
Thank you in advance.
You can find on my screenshoot : Fortigate FW UK - static routes, ipv4 rules and topology network.
Regards,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi David.
It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.
Regards,
Phil
Does the 192.168.100.0/24 network have a route back to the 10.0.151.0/24 network?
Routing is usually very simple. The source must have a route to the destination and the destination must have a route back to the source. Then in between policies that allow the traffic to pass.
Sorry for the late answer, yes the 192.168.100.0/24 network have a route back to 10.0.151.0/24 network.
For IPv4 rules, we have allowed all traffic on both sides, between source and destination.
You can confirm the routes are in place by running the following commands on Fortigate
"get router info routing-table all" - this will show the full routing table
Then you can check route used for say 192.168.100.0/24
"get router info routing-table details 192.168.100.0"
This will tell you where the fortigate is learning the route from and where it is sending the traffic to get to it.
If the above is all fine, then you will need to debug the traffic.
From an SSH session on the Fortigate enter
diagnose debug reset diagnose debug disable diagnose debug enable diagnose debug console timestamp enabled diagnose debug flow show fun en diagnose debug flow filter clear diagnose debug flow filter addr 192.168.100.x diagnose debug flow filter addr 10.0.151.x diagnose debug flow trace start 100
Run a ping between the hosts and check the debug output
When finished debugging make sure you run the following commands to turn off debug mode
diagnose debug reset diagnose debug disable
Ok, thanks for all commands for fortigate CLI. I'll make the necessary arrangements and debug, I'll keep you posted.
Thank you,
What have you set as Proxy ID in Phase 2 configuration of VPN sites, specific networks or 0.0.0.0 ?
Hi David.
It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.
Regards,
Phil
Can you post a simple diagram of your topology? I was having a similar issue and I may be able to help, but I need to see what your topology looks like. From your description, I think I am missing a piece of the topology.
A diagram would be helpful.
I believe Phil is correct. This is exactly what I had to do. I was also going to suggest this, however I wanted to see a diagram of your topology first.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.