Hello all,
I've got a VPN site to site.
I had policies to join another network, VPN is up, everything seems to be ok and i can RDP a remote PC.
But ping doeens't work.
In debug, i see that only on "start" router, nothing on remote router. tracert show me that ping does not pass through ipsec...
log tracert
id=20085 trace_id=91 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=17, 10.0.5.71:137->200.200.4.12:137) from port1. "
id=20085 trace_id=91 func=init_ip_session_common line=4517 msg="allocate a new session-005e8fd0"
id=20085 trace_id=91 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-XX.XX.XX.XX via wan1"
id=20085 trace_id=91 func=fw_forward_handler line=554 msg="Denied by forward policy check (policy 0)"
log ping
id=20085 trace_id=122 func=print_pkt_detail line=4368 msg="vd-root received a packet(proto=1, 10.0.5.151:1->200.200.4.12:8) from port1. code=8, type=0, id=1, seq=539."
id=20085 trace_id=122 func=resolve_ip_tuple_fast line=4427 msg="Find an existing session, id-005eef10, original direction"
id=20085 trace_id=122 func=ipv4_fast_cb line=50 msg="enter fast path"
id=20085 trace_id=122 func=ip_session_run_all_tuple line=5489 msg="SNAT 10.0.5.151->XX.XX.XX.XX:62464"
I'm missing something but what?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
are you certain ICMP is allowed in the policy? If you have all in the policy try adding TCP/UDP/ICMP and see what happens.
FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Paul S wrote:Thank you for your answer.are you certain ICMP is allowed in the policy? If you have all in the policy try adding TCP/UDP/ICMP and see what happens.
Yes ICMP is allowed, i've allowed PING service which ICMP type 8 protocol.
I don't have a TCP/UDP/ICMP but i have TCP/UDP/SCTP.
Note : Start router is a forti 100D and remote is a 30D.
Ping is ok for other remote network but not on network that i've added.
can you run diag sniffer packet on the remote site ?
if the debug above is from the sending FW, its going out.
//Chura CCIE, NSE7, CCSE+
Chura wrote:can you run diag sniffer packet on the remote site ?
if the debug above is from the sending FW, its going out.
I launched this command but do not see any icmp protocol for the remote network.
When i run a tracert, it do not go through vpn, it's going out there and lost.
I have retest rdp and it's working well.
80/443 is also working.
tracert is being denied, so you won't see it go anywhere.
Please run diag sniffer packet any 'icmp'
you maybe missing the ICMP becuase its being NAT Translated.
P.S, why do you NAT between VPN networks ? its no the best practice.
Unless its a must due to network design, I highly recommend disabling this and add the relevant routing.
//Chura CCIE, NSE7, CCSE+
Chura wrote:tracert is being denied, so you won't see it go anywhere.
Please run diag sniffer packet any 'icmp'
you maybe missing the ICMP becuase its being NAT Translated.
P.S, why do you NAT between VPN networks ? its no the best practice.
Unless its a must due to network design, I highly recommend disabling this and add the relevant routing.
Thanks, i can see echo request from source router but nothing on remote router.
I did not configured NAT between vpn it's our IT provider. Where can you see that nat is configured?
I'm not an expert with Fortinet ^^
On all other vpn networks it work. I will ask our provider why he have configured nat on VPN. i can't change it.
id=20085 trace_id=122 func=ip_session_run_all_tuple line=5489 msg="SNAT 10.0.5.151->XX.XX.XX.XX:62464"
//Chura CCIE, NSE7, CCSE+
FWIW; if the pings and traceroute are from the vpn-firewall, you may need to source then to use the VPN ipsec-tunnel
use the following;
execute ping-options source
the pings are probably going out the public interface of the WAN and not over the ipsec-path. If you used a ipsec-tunnel interface ( phase1-interface ) than you can dump on the tunnelname in your diagnostic sniffer packet <insert tunnel name> "icmp"
To double check. I hope this helps
Ken
PCNSE
NSE
StrongSwan
emnoc wrote:FWIW; if the pings and traceroute are from the vpn-firewall, you may need to source then to use the VPN ipsec-tunnel
use the following;
execute ping-options source
the pings are probably going out the public interface of the WAN and not over the ipsec-path. If you used a ipsec-tunnel interface ( phase1-interface ) than you can dump on the tunnelname in your diagnostic sniffer packet <insert tunnel name> "icmp"
To double check. I hope this helps
Ken
Hello,
Command execute ping-options source made nothing.
i already have executed sniffer packet. From source, i can see icmp request. On the remote nothing.
And yes, when i do a tracert to see where ping is going, it does not pass through vpn.. and RDP is ok.. It's very strange.
Note that i can ping machines on antoher network via the same VPN. I don't know if the problem comes from policy or from vpn.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.