Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Castle_47
New Contributor

Created on ‎02-18-2024 07:30 AM

Shortcut tunnel

Hi all, 

Need your support on shortcut tunnels. Basically , I am not able to reach from SPOKE_1 to SPOKE_2 via shortcut tunnels. Instead, traffic is getting routed to Hub tunnel ip than to Spoke_2 tunnel ip. My shortcut tunnel does comes up.i can see in ipsec monitor,but no data flows through it.

 

 

Labels:
334
0 Kudos
4 REPLIES 4
sahmed_FTNT
Staff
Staff

Created on ‎02-18-2024 08:16 AM

Kindly see the below link for troubleshooting:

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-ADVPN-shortcuts-are-not-establishing...

Security all we want
322
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎02-18-2024 08:17 AM

Hi

Did you follow the instruction below? If so, in your case you may double-check the routing configuration and behavior.

https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/978793/advpn

AEK
AEK
321
0 Kudos
adimailig
Staff
Staff

Created on ‎02-18-2024 07:16 PM

You may refer to below guide
Troubleshooting Tip: ADVPN shortcuts are not establishing between Spokes
Troubleshooting Tip: ADVPN shortcut cannot be created and the forward shortcut-query shows as '00000...

On HUB, net-device should be disable
On Spoke, net-device should be enable

Also, make sure that "auto-discovery-receiver" is enable on Spokes
While, "auto-discovery-sender" enable on HUB.




Best Regards,

Arnold Dimailig
TAC Engineer
287
0 Kudos
hbac
Staff
Staff

Created on ‎02-19-2024 09:09 AM

Hi @Castle_47,

 

If the tunnel comes up but no traffic passing, you need to run debug flow to see why. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Example: di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.1.1.1
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable 

 

On the hub, you need a policy to allow traffic from tunnel to tunnel (same incoming and outgoing interfaces). 

 

Regards, 

275
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.