Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pxiannie
New Contributor III

Created on ‎02-29-2024 12:32 AM

Server IP address could not be found for IPsec VPN Remote Access

Hi, I'm trying to remote access to local lan using forticlient. I'm able to connect to IPsec VPN and ping 192.168.1.1 but cannot ping my server ip address and access to local server. Is there any problem for my settings? My server ip address also one of the range in Local-LAN but why I cannot ping my server? Please help.
Screenshot 2024-02-29 162511.png
Screenshot 2024-02-29 162559.png
Regards,


Labels:
2257
0 Kudos
16 REPLIES 16
abarushka
Staff
Staff

Created on ‎02-29-2024 01:50 AM

Hello,

 

You may consider to collect debug flow and traffic sniffer while pinging unreachable server:

 

Debug flow:

diagnose debug flow filter daddr <server IP address>
diagnose debug flow filter proto 1
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable

 

Traffic sniffer:

diagnose sniffer packet any 'icmp and host <server IP address>' 4 0 a

FortiGate
1280
pxiannie
New Contributor III
In response to abarushka

Created on ‎03-06-2024 06:51 PM

Hi @abarushka ,

I have run the debug flow and traffic sniffer. What does it means? 

Debug flow:
Screenshot 2024-03-07 104505.png
Traffic sniffer:
Screenshot 2024-03-07 104602.png

Regards,

1219
0 Kudos
abarushka
Staff
Staff
In response to pxiannie

Created on ‎03-07-2024 02:54 AM

Hello,

 

On firewall side everything looks good. I can see that firewall policy 7 is matched. ICMP packet is received (TONY-VPN) and sent out (interface lan). However firewall doesn't receive ICMP reply.

 

I would recommend to check whether ICMP is filtered (server OS firewall) on server side.

FortiGate
1195
pxiannie
New Contributor III
In response to abarushka

Created on ‎03-07-2024 07:49 PM

Hi @abarushka ,

I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping my server name. If can ping server ip address that means the ICMP are not filtered on server side right?

Regards,

1168
0 Kudos
ebilcari
Staff
Staff

Created on ‎02-29-2024 02:18 AM

Is the server IP part of the subnet 192.168.1.x and does it use .1 as the gateway (or as a next hop in a route to reach the VPN subnet)? Check also the firewall of the server if it has any specific rule that allows or block based on source IP. If NAT is not enabled on the policy, the requests will be sourced by the IP of the VPN client.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1273
pxiannie
New Contributor III
In response to ebilcari

Created on ‎03-06-2024 07:01 PM

Hi @ebilcari ,

Yes the server IP is part of the subnet 192.168.1.x and 192.168.1.1 is the default gateway used to access the GUI of a Fortinet firewall. I think the firewall of server only allow local lan subnet to access, does it mean that I need to set all the firewall policy to enabled NAT?

Regards,

1217
0 Kudos
ebilcari
Staff
Staff
In response to pxiannie

Created on ‎03-07-2024 03:00 AM

From security perspective, it is not recommended because the source IP of the client will be hidden to the server but if that is the only way you can configure the policy to NAT the client requests with the IP of the FGT 192.168.1.1.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1190
pxiannie
New Contributor III
In response to ebilcari

Created on ‎03-07-2024 07:56 PM

Hi @ebilcari ,


I'm able to ping my server ip address after enabled all the NAT for policy but still not able to ping the server name. As my LAN-to-SDWAN are originally set to enabled NAT, I can only modified others policy. But I found that if one of the policy NAT is disabled then the server ip not able to ping ady, is that correct?

Regards,

 

1167
0 Kudos
ebilcari
Staff
Staff
In response to pxiannie

Created on ‎03-08-2024 12:49 AM

In order to ping by name, a DNS server should be able to resolve the name into the IP of the server. This is not related to network reachability or NAT-ing the traffic, most probably different network segments use their own DNS servers.

If the server firewall will accept connections only from the subnet 192.168.1.x and that can't be changed, than the only possibly way of communication is to source NAT the requests with the FGT IP.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1138
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.