Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
leviu
New Contributor

[SOLVED] Packets for port 5038 go through S2S tunnel but don't get routed localy

Model number: 100D (x2 in HA cluster)

Firmware: v5.2.9,build736

Issue:

We have a site to site IPSec tunnel to our customer created using the the wizard and a "Site to Site - Fortigate" template (the other end is a Fortigate 90d running v5.4.1,build1064).

 

The customer site has two networks:

10.14.48.0/24 - for computers

10.14.50.0/24 - for VOIP phones

 

Our end:

vlan internal network (number 12) with a PBX server

 

There are rules in place for VOIP traffic and the SIP helper is disabled on the 100D (system wide) - VOIP works fine over the tunnel to the PBX server on vlan12. Now I have configured rules on both ends so that the computer network is able to talk to the PBX server on vlan12 using the TCP port 5038.

 

My issue is that the traffic exits the customer Fortigate (comes in on the internal network and goes out the tunnel interface) and arrives at our Fortigate on the tunnel interface, however it does NOT get forwarded to the vlan12 interface where the PBX server is located. Again, the VOIP traffic from the phone network DOES get forwarded to the vlan12 interface.

 

I have attached a screenshot from the UI  showing the problematic policy I have and an example of the exact same working policy with different ports .

Here (since I can't attach more than one image) are all the screenshots with an example of a working policy and the problematic policy, where the difference is only the ports (services) There are also screenshots of packet capture from the customer Fortigate and our Fortigate showing the traffic flow.

 

Any help would be appreciated.

~levi

 

6 REPLIES 6
rohitbhas_22
New Contributor

Hi Levi,

 

is it possible for you to run 'debug policy' at your end firewall (to check the flow of traffic from customer)

you can filter it with src & dst ip address / port

 

for the voip traffic to pbx server (your site), i would recommend you to check the routing (reachability )

leviu

Thanks for the reply.

 

Are you referring to the 'diagnose debug flow' set of commands?

 

There is nothing to text for the VOIP traffic - that works fine. Sorry if I explained poorly - i wrote the post at the end of a long work day ^_^.

 

~levi

rwpatterson
Valued Contributor III

Show the CLI output of the custom VoIP service on the remote FGT.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
leviu
New Contributor

This is the customer site service:

and this from our fortigate :

 

Thanks for the reply!

leviu

rohitbhas.22 wrote:

Hi Levi,

 

is it possible for you to run 'debug policy' at your end firewall (to check the flow of traffic from customer)

you can filter it with src & dst ip address / port

 

for the voip traffic to pbx server (your site), i would recommend you to check the routing (reachability )

 

I've run the debug and here is the output:

Not sure what "policy 0" is. Sounds like it is simply denied due to lack of an allow policy 0.o

Same thing happens for the HTTP traffic!

 

 

Another major point that yesterday we just upgraded the 100D Forti by us to 5.6.5!

Here is the new policy screenshot. No idea why there is a "Proxy" option now. Maybe its bundled with the VOIP one...

~levi

leviu
New Contributor

I solved the issue : the source object (computer-network) was set with /32 and not /24 network........

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors