Model number: 100D (x2 in HA cluster)
Firmware: v5.2.9,build736
Issue:
We have a site to site IPSec tunnel to our customer created using the the wizard and a "Site to Site - Fortigate" template (the other end is a Fortigate 90d running v5.4.1,build1064).
The customer site has two networks:
10.14.48.0/24 - for computers
10.14.50.0/24 - for VOIP phones
Our end:
vlan internal network (number 12) with a PBX server
There are rules in place for VOIP traffic and the SIP helper is disabled on the 100D (system wide) - VOIP works fine over the tunnel to the PBX server on vlan12. Now I have configured rules on both ends so that the computer network is able to talk to the PBX server on vlan12 using the TCP port 5038.
My issue is that the traffic exits the customer Fortigate (comes in on the internal network and goes out the tunnel interface) and arrives at our Fortigate on the tunnel interface, however it does NOT get forwarded to the vlan12 interface where the PBX server is located. Again, the VOIP traffic from the phone network DOES get forwarded to the vlan12 interface.
I have attached a screenshot from the UI showing the problematic policy I have and an example of the exact same working policy with different ports .
Here (since I can't attach more than one image) are all the screenshots with an example of a working policy and the problematic policy, where the difference is only the ports (services) There are also screenshots of packet capture from the customer Fortigate and our Fortigate showing the traffic flow.
Any help would be appreciated.
~levi
Hi Levi,
is it possible for you to run 'debug policy' at your end firewall (to check the flow of traffic from customer)
you can filter it with src & dst ip address / port
for the voip traffic to pbx server (your site), i would recommend you to check the routing (reachability )
Thanks for the reply.
Are you referring to the 'diagnose debug flow' set of commands?
There is nothing to text for the VOIP traffic - that works fine. Sorry if I explained poorly - i wrote the post at the end of a long work day ^_^.
~levi
Show the CLI output of the custom VoIP service on the remote FGT.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
This is the customer site service:
and this from our fortigate :
Thanks for the reply!
rohitbhas.22 wrote:Hi Levi,
is it possible for you to run 'debug policy' at your end firewall (to check the flow of traffic from customer)
you can filter it with src & dst ip address / port
for the voip traffic to pbx server (your site), i would recommend you to check the routing (reachability )
I've run the debug and here is the output:
Not sure what "policy 0" is. Sounds like it is simply denied due to lack of an allow policy 0.o
Same thing happens for the HTTP traffic!
Another major point that yesterday we just upgraded the 100D Forti by us to 5.6.5!
Here is the new policy screenshot. No idea why there is a "Proxy" option now. Maybe its bundled with the VOIP one...
~levi
I solved the issue : the source object (computer-network) was set with /32 and not /24 network........
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.