Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSOAR
- FortiSIEM
- FortiSwitch
- FortiTester
- FortiVoice
- FortiToken
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- SSL VPN Portal not getting traffic across IPSEC VP...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL VPN Portal not getting traffic across IPSEC VPN after updating to v7.0.3
Hi everyone.
What I want to do is access some resources across the IPSEC vpn terminated on the fortigate via the SSL Portal on that same fortigate. I can't ping the resources from that fortigate and I think it's to do with the originating address and routing, but the Pool previously sorted it!
In v6.4.5 I had a rule for the IP traffic from the SSL Portal that used an IP Pool which meant that the traffic could get across the IPSEC VPNs terminated on the firewall with ease. In 7.0.3 this has stopped working.
Any ideas?
Jon
Labels:
- Labels:
-
FortiGate
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Jon,
To analyze the traffic behavior, I propose running the traffic flow debug and sniffers on both firewalls. (Because SNAT is involved, it is preferable to gather logs for the same destination IP address on both firewalls.)
Note: Run the below commands and then initiate Ping towards destination.
Traffic Flow Debug Commands:
diagnose debug reset
diagnose debug disable
diagnose debug console timestamp enable
diagnose debug flow show fun en
diagnose debug flow filter clear
diagnose debug flow filter addr x.x.x.x -->Destination IP address
diagnose debug flow filter proto 1
diagnose debug flow trace start 1000
diagnose debug enable
After ping fails, disable the logs by executing
diagnose debug disable
Sniffer Commands:
# diagnose sniffer packet any "host x.x.x.x and icmp" 4 0 a
Replace x.x.x.x with destination IP address.
Akilesh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've now noticed it on other Portals. It's where the SSL portal traffic is directed through an IPSEC VPN also terminated on the same box. There is an IP Pool on the rule (on the same interface IP range as the production network) which managed to get around it pre v7.
Will do that debug and post it :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FGT_601E_FW1 # exec ping 172.16.11.1
2022-01-12 12:53:51 id=20085 trace_id=1 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.243.254:2560->172.16.11.1:2048) from local. type=8, code=0, id=2560, seq=0."
2022-01-12 12:53:51 id=20085 trace_id=1 func=init_ip_session_common line=5955 msg="allocate a new session-0109afc0"
2022-01-12 12:53:51 id=20085 trace_id=1 func=ipsecdev_hard_start_xmit line=625 msg="enter IPSec interface CrawleyIPSEC"
2022-01-12 12:53:51 id=20085 trace_id=1 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel CrawleyIPSEC"
2022-01-12 12:53:51 id=20085 trace_id=1 func=ipsec_common_output4 line=792 msg="No matching IPsec selector, drop"
2022-01-12 12:53:52 id=20085 trace_id=2 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.243.254:2560->172.16.11.1:2048) from local. type=8, code=0, id=2560, seq=1."
2022-01-12 12:53:52 id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5864 msg="Find an existing session, id-0109afc0, original direction"
2022-01-12 12:53:52 id=20085 trace_id=2 func=ipsecdev_hard_start_xmit line=625 msg="enter IPSec interface CrawleyIPSEC"
2022-01-12 12:53:52 id=20085 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel CrawleyIPSEC"
2022-01-12 12:53:52 id=20085 trace_id=2 func=ipsec_common_output4 line=792 msg="No matching IPsec selector, drop"
2022-01-12 12:53:53 id=20085 trace_id=3 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.243.254:2560->172.16.11.1:2048) from local. type=8, code=0, id=2560, seq=2."
2022-01-12 12:53:53 id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5864 msg="Find an existing session, id-0109afc0, original direction"
2022-01-12 12:53:53 id=20085 trace_id=3 func=ipsecdev_hard_start_xmit line=625 msg="enter IPSec interface CrawleyIPSEC"
2022-01-12 12:53:53 id=20085 trace_id=3 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel CrawleyIPSEC"
2022-01-12 12:53:53 id=20085 trace_id=3 func=ipsec_common_output4 line=792 msg="No matching IPsec selector, drop"
2022-01-12 12:53:54 id=20085 trace_id=4 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.243.254:2560->172.16.11.1:2048) from local. type=8, code=0, id=2560, seq=3."
2022-01-12 12:53:54 id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5864 msg="Find an existing session, id-0109afc0, original direction"
2022-01-12 12:53:54 id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=625 msg="enter IPSec interface CrawleyIPSEC"
2022-01-12 12:53:54 id=20085 trace_id=4 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel CrawleyIPSEC"
2022-01-12 12:53:54 id=20085 trace_id=4 func=ipsec_common_output4 line=792 msg="No matching IPsec selector, drop"
2022-01-12 12:53:55 id=20085 trace_id=5 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.243.254:2560->172.16.11.1:2048) from local. type=8, code=0, id=2560, seq=4."
2022-01-12 12:53:55 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5864 msg="Find an existing session, id-0109afc0, original direction"
2022-01-12 12:53:55 id=20085 trace_id=5 func=ipsecdev_hard_start_xmit line=625 msg="enter IPSec interface CrawleyIPSEC"
2022-01-12 12:53:55 id=20085 trace_id=5 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel CrawleyIPSEC"
2022-01-12 12:53:55 id=20085 trace_id=5 func=ipsec_common_output4 line=792 msg="No matching IPsec selector, drop"
PING 172.16.11.1 (172.16.11.1): 56 data bytes
--- 172.16.11.1 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
FGT_601E_FW1 # diagnose debug disable
NOTE: I can ping this device from the 10.x network without issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Jond,
per the debug, the traffic doesn't match into the VPN P2 selectors for some reason:
2022-01-12 12:53:55 id=20085 trace_id=5 func=ipsec_common_output4 line=792 msg="No matching IPsec selector, drop"
FortiGate is trying to send the traffic into VPN CrawleyIPSEC.
Check the following:
- what policy do you have from SSLVPN (ssl.root) to CrawleyIPSEC?
- what NATing is configured on that policy?
- Is the IP pool intended for NATing included in P2 selectors for the IPSec tunnel on both sides?
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Created on 01-12-2022 08:25 AM Edited on 01-12-2022 08:27 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Debbie,
I have a normal policy which had a NAT Pool of addresses within the production network which is within one of the P2 selectors (10.x.x.x/8)
Incoming: ssl.root
Outgoing: CrawleyIPSEC
Source: all
Destination: The hosts
NAT: on
Pool: Use Dynamic (pool: 10.212.135.1 - 10.212.135.254) (P2 selector 10.x.x.x/8)
Main oddity is that... it was working fine yesterday on 6.4.5, today on 7.0.3 it doesn't! :)
I do get a feeling that it might be where the IPSEC connection is address-less... but do you think so?
Cheers
Jon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Jon,
from the config snippets, I don't see an issue - but it doesn't change the fact that debug reported "no matching selectors". Perhaps that particular phase2 is not up, but other phase2 are functional?
Other than that, I wouldn't really know what else to check, IPSec is not my main focus in FortiGate, my apologies - you might want to consider open a ticket with FortiGate technical support to get a VPN specialist on your case.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, you mentioned that you can ping from an IP in the 10.x.x.x/8 range above, sorry, I overlooked that.
Then it's probably not a phase2 issue, if the ping works, and I'm completely stumped, apologies.
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem Debbie
I have a strong feeling that this is to do with self-originating traffic and IPSEC interface IP addresses and will try and pursue that :)
This is a capture of a ping from the firewall across the VPN:
You can see the IP address is particularly wacky - it's a random gateway from another interface (that, incidentally, is not the outgoing WAN i/f) ! Definitely not matching a selector, unfortunately. Apparently putting IP addresses on the IPSEC interface sorts it somehow.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey jond,
this KB might provide some insight into the source IP stuff for IPSec: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-for-self-originating-IPsec-tunne...
Though I'm not sure how applicable that is given you mentioned that the IP in question is NOT the wan interface IP.
If you put an IP on the IPSec interface itself, that does give the FortiGate a fixed IP for its self-originating traffic into IPSec VPN, and should resolve any issues with random source IPs.
Alternatively, you can force source IPs for any number of self-originating traffic, such as logging and authentication; the source IPs are usually only configureable via CLI though
#config user radius
#edit <>
#set source-ip x.x.x.x
#end
for example. In 7.0, the source IP settings are expanded, and allow an automatic selection or fixed IP, and even a fixed outgoing interface even if the routing table would dictate a different outgoing interface.
I hope that helps!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,749 -
FortiClient
1,777 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
477 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
323 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
208 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Wireless Controller
81 -
Customer Service
80 -
4.0MR3
64 -
FortiProxy
60 -
Fortivoice
56 -
High Availability
56 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1737 | |
| 1107 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.