Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MoccaMaster
New Contributor II

SSLVPN to Azure VPN traffic not flowing

We have a setup where we connect to our Azure resources using a Site2site IPSec VPN connection, which works as expected. 

 

However, once my clients connects from Forticlient using SSLVPN, traffic does not get routed to Azure.

I have created Firewall rules that allow traffic from SSLVPN to Azure remote IP addresses.

SSLVPN splitmode is disabled, as I want all traffic over my VPN.

 

SSLVPN Clients can connect to LAN and WAN resources.

SSLVPN clients cannot connect to Azure resources. 

 

 

If someone can point me into any direction, it would be very appreciated. 

 

1 Solution
aionescu

Hi @MoccaMaster 

 

From the debug:

 

FG1 # id=20085 trace_id=4011 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.210.134.100:1->10.100.0.6:2048) from ssl.root. type=8, code=0, id=1, seq=461

4."

id=20085 trace_id=4011 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-01a4d8b0, original direction"

id=20085 trace_id=4011 func=ipv4_fast_cb line=53 msg="enter fast path"

id=20085 trace_id=4011 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.210.134.100->172.16.0.1:60417"

id=20085 trace_id=4011 func=ipsecdev_hard_start_xmit line=790 msg="enter IPsec interface-AzureVPN"

id=20085 trace_id=4011 func=_ipsecdev_hard_start_xmit line=667 msg="IPsec tunnel-AzureVPN"

id=20085 trace_id=4011 func=ipsec_common_output4 line=875 msg="No matching IPsec selector, drop"

 

Can you confirm the phase2 selectors?

View solution in original post

13 REPLIES 13
aionescu
Staff
Staff

Hi @MoccaMaster ,

 

Are the IP addresses that are assigned to the clients configured in the Phase2 of the tunnel to Azure? If they are, please run the following commands and upload the output:

 

diagnose debug enable

diagnose debug flow filter addr x.x.x.x <----- where x.x.x.x is the surce of the traffic.

diagnose debug flow trace start 10

 

You can disable the debug running the command:

diagnose debug disable

MoccaMaster

@aionescu  thanks for the quick reply.

On my Azure IPSec tunnel, I have defined both the LAN segment and the SSLVPN with same settings. 
The result from the debug:

 

id=20085 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 94.127.49.230:443->212.98.75.206:61674) from wan1. flag [.], seq 2570902, ack 2275044378, win 245"
id=20085 trace_id=1 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bf91f, reply direction"
id=20085 trace_id=1 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=1 func=ip_session_run_all_tuple line=7154 msg="DNAT 212.98.75.206:61674->10.212.134.100:61674"
id=20085 trace_id=2 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 94.127.49.230:443->212.98.75.206:61674) from wan1. flag [F.], seq 2570933, ack 2275044378, win 245"
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bf91f, reply direction"
id=20085 trace_id=2 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=2 func=ip_session_run_all_tuple line=7154 msg="DNAT 212.98.75.206:61674->10.212.134.100:61674"
id=20085 trace_id=3 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.212.134.100:61674->94.127.49.230:443) from ssl.root. flag [.], seq 2275044378, ack 2570934, win 6143"
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bf91f, original direction"
id=20085 trace_id=3 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=3 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.212.134.100->212.98.75.206:61674"
id=20085 trace_id=4 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 94.127.49.228:443->212.98.75.206:61675) from wan1. flag [.], seq 415816949, ack 2009654142, win 254"
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bf920, reply direction"
id=20085 trace_id=4 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=4 func=ip_session_run_all_tuple line=7154 msg="DNAT 212.98.75.206:61675->10.212.134.100:61675"
id=20085 trace_id=5 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 94.127.49.228:443->212.98.75.206:61675) from wan1. flag [F.], seq 415816980, ack 2009654142, win 254"
id=20085 trace_id=5 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bf920, reply direction"
id=20085 trace_id=5 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=5 func=ip_session_run_all_tuple line=7154 msg="DNAT 212.98.75.206:61675->10.212.134.100:61675"
id=20085 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.212.134.100:61675->94.127.49.228:443) from ssl.root. flag [.], seq 2009654142, ack 415816981, win 6147"
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bf920, original direction"
id=20085 trace_id=6 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=6 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.212.134.100->212.98.75.206:61675"
id=20085 trace_id=7 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.212.134.100:61676->10.10.0.14:8013) from ssl.root. flag [S], seq 3261316680, ack 0, win 64896"
id=20085 trace_id=7 func=init_ip_session_common line=5995 msg="allocate a new session-019bfa54"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.10.0.14 via lan"
id=20085 trace_id=7 func=fw_forward_handler line=811 msg="Allowed by Policy-3: SNAT"
id=20085 trace_id=7 func=__ip_session_run_tuple line=3519 msg="SNAT 10.212.134.100->10.10.0.253:61676"
id=20085 trace_id=7 func=ipd_post_route_handler line=490 msg="out lan vwl_zone_id 0, state2 0x0, quality 0.
"
id=20085 trace_id=8 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:8013->10.10.0.253:61676) from lan. flag [S.], seq 311730328, ack 3261316681, win 8192"
id=20085 trace_id=8 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bfa54, reply direction"
id=20085 trace_id=8 func=__ip_session_run_tuple line=3533 msg="DNAT 10.10.0.253:61676->10.212.134.100:61676"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-10.212.134.100 via ssl.root"
id=20085 trace_id=8 func=npu_handle_session44 line=1217 msg="Trying to offloading session from lan to ssl.root, skb.npu_flag=00000400 ses.state=01000200 ses.npu_state=0x00040000"
id=20085 trace_id=8 func=fw_forward_dirty_handler line=397 msg="state=01000200, state2=00000000, npu_state=00040000"
id=20085 trace_id=8 func=ipd_post_route_handler line=490 msg="out ssl.root vwl_zone_id 0, state2 0x0, quality 0.
"
id=20085 trace_id=9 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.212.134.100:61676->10.10.0.14:8013) from ssl.root. flag [.], seq 3261316681, ack 311730329, win 6147"
id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bfa54, original direction"
id=20085 trace_id=9 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=9 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.212.134.100->10.10.0.253:61676"
id=20085 trace_id=10 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.212.134.100:61676->10.10.0.14:8013) from ssl.root. flag [.], seq 3261316681, ack 311730329, win 6147"
id=20085 trace_id=10 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-019bfa54, original direction"
id=20085 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=10 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.212.134.100->10.10.0.253:61676"

 

 

aionescu

@MoccaMaster did you capture the traffic while generating traffic towards Azure resources? If yes, what is the destination IP? How does the policy that allows the traffic looks like? Could you try to clear any session, if any, between the two IPs (using the information from Technical Tip: Using filters to clear sessions on ... - Fortinet Community) and then generate traffic?

This way we can see how the session is created. 

 

If the previous capture was not able to capture the "interesting" traffic and, depending on the amount of traffic generated by the source host, you can increase the number of captured packets:

 

diagnose debug enable

diagnose debug flow filter addr x.x.x.x <----- where x.x.x.x is the surce of the traffic.

diagnose debug flow trace start 1000

 

 

 

 

MoccaMaster

@aionescu A new trace as per requst. 

 

What I did to generate traffic: 
Connected to SSLVPN , started pinging 10.100.0.6
Started trace
Tried to establish an RDP connection 
All of these works from LAN side 

 

I tried to decipher the log, and note that it tried to send traffic through my disabled DMZ interface (172.16.0.1).

 

 


Output from my FG can be donwloaded here : 
https://share.ck.dk/filr/public-link/file-preview/ff8080828384856c0183a7472d6400e6/7553/-29082974766...

 

 

aionescu

Hi @MoccaMaster 

 

From the debug:

 

FG1 # id=20085 trace_id=4011 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 10.210.134.100:1->10.100.0.6:2048) from ssl.root. type=8, code=0, id=1, seq=461

4."

id=20085 trace_id=4011 func=resolve_ip_tuple_fast line=5905 msg="Find an existing session, id-01a4d8b0, original direction"

id=20085 trace_id=4011 func=ipv4_fast_cb line=53 msg="enter fast path"

id=20085 trace_id=4011 func=ip_session_run_all_tuple line=7142 msg="SNAT 10.210.134.100->172.16.0.1:60417"

id=20085 trace_id=4011 func=ipsecdev_hard_start_xmit line=790 msg="enter IPsec interface-AzureVPN"

id=20085 trace_id=4011 func=_ipsecdev_hard_start_xmit line=667 msg="IPsec tunnel-AzureVPN"

id=20085 trace_id=4011 func=ipsec_common_output4 line=875 msg="No matching IPsec selector, drop"

 

Can you confirm the phase2 selectors?

MoccaMaster

Yes I can confirm the Phase2 selectors. 

Here is a screendump of it

azure p2.png

Debbie_FTNT

Hey MoccaMaster,

is it correct that the first selector has as remote 10.100.0.0/16, and the other 10.100.0.0/24?

It could be that the "SSLVPN" phase2 wasn't up for some reason - you could run this command to confirm, for example:
get vpn ipsec tunnel summary
You can refer to this KB to dig a bit into what might be going on with the VPN tunnel:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
MoccaMaster

@Debbie_FTNT This is an error from my side. Was trying a different subnet for the SSLVPN part, it doesnt matter if its /16 or /24, result is the same. 

Switched SSLVPN part back to the original /16 setting as used on the first selector (which works). 
Result from "get vpn ipsec tunnel summary" 
'AzureVPN' 20.xx.xx.xx:0 selectors(total,up): 2/2

 

MoccaMaster

@Debbie_FTNT @aionescu Thanks for your help. 
The tunnel are now working as expected. 
I somehow had enabled NAT on the firewall policy, which blocked the connection. Once I disabled it on both firewall policies, the traffic flow is now working.

As if any others comes by this thread this is what I changed to get it working: 
On the Fortigate: 

  • Added a second Phase2 selection on the AzureVPN, with the SSLVPN IP segment
  • Disabled NAT on the 2 firewall policies allowing traffic from SSLVPN over the IPSec tunnel to Azure.

In Azure: 

  • Added the SSLVPN addresses in the address space for the "Local network gateway" configuration