Hi!
We have some problem with routing? via IPSec site to site
1. 2 ISP on both side, 4 ipsec tunnels from Branch site (60c) to mail office (1000c).
2. Phase 2 on all tunnels 0.0.0.0/0.0.0.0 as networks, static routes with different distance (1-2-3-4) for IPSEC failover.
3. "LAN" 192.168.7.0/24 on 60С and "LAN" 192.168.0.0/24 on 1000C
4. FW on 60c and 1000c 5.2.11 latest
5. All work fine, traffic flow from any LANs to any LANs via IPSec BUT ...
If trace route from LAN 192.168.0.0 host to host in 192.168.7.0 i see, WAN1 IP of 60C in trace route ....
1 <1 ms <1 ms <1 ms 192.168.0.251 (1000C LAN IP) 2 3 ms 3 ms 2 ms xx.xx.xx.xx (60C WAN1 IP) 3 3 ms 2 ms 2 ms host5 [192.168.7.1] (host in 192.168.7.0 network)
Why traffic flow like this ??? We have few others devices connected same way - no tracert problems!!!
We try check any settings - all the same, only difference - connected ports. We think - traffic flow as ifindex of port on FGT ????
How we can resolve issue?
We have troubles with applications like TMG 2010 - client source IP (WAN IP 60c) unreachable in logs ...
Tnx for any help!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
This is not an issue.
Your tunnel interfaces are unnumbered, your fortigate just takes some ip-adress to display in the output.
This behavior is documented here:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36799
Regards
bommi
NSE 4/5/7
fwiw , you can add address to the tunnel interfaces.
PCNSE
NSE
StrongSwan
Tnx for answer!!! I try set IPs in IPSec interface, work like in document
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36799
I see this IPs in tarcert, but Internet via TMG not working propery ... TMG said - unknown source ... It can't check this source IPS i thunk
May be i do something wrong???
We have few tunnels on another FGT without problems like this ((( only difference - connected ports
I don't know how fix this problems ((( HELP )))
Hi! Can anyone help with issues ?
What do you mean by check this source IPs? What's the IP of the TMG and on which location is it? We need some more information to help you on this case.
From TMG (network 192.168.0.0) i do tracert to host in network 192.168.1.0 (Its problems)
1 <1 мс <1 мс <1 мс 192.168.0.251 (Its LOCAL GW FGT LAN IP) 2 * * * destanation unreachble (Its some time IP of another FGT Port !!!) 3 5 ms 2 ms 3 ms 192.168.1.1 (Its remote host)
Ftom TMG (network 192.168.0.0) i do tracert to network 192.168.2.0 (NO problems)
1 <1 мс <1 мс <1 мс 192.168.0.251 (Its LOCAL GW FGT LAN IP) 2 14 ms 14 ms 14 ms 192.168.2.252 (Its REMOTE GW FGT LAN IP) 3 15 ms 17 ms 15 ms SPB-DC1 [192.168.2.1] (Its remote host)
All site to site tunnels same config. Only diffrence is used port's on FGT (port devindex ???)
Internet from 192.168.1.0 flow to main office TMG (proxy). Its slow, not working property (freezes) and e.t.c..
Internet from 192.168.2.0 flow to main office TMG (proxy). NO PROBLEMS, all fine!
Hi Dizzy,
mybe a diagram of the network will help...
anyway some questions:
- which version of TMG and Windows S.O. ?
- how clients interact with TMG? transparent or explicit proxy, isa client ?
- and if it's isa client have you checked if it's a MTU problem
- can you ping from TMG the affacted clients ?
- there is any nat involved ?
- clients are hitting TMG from "internal" interface or another interface and if the latter how have you declater network rules
Regards,
Antonio
Hi, Antonio TNX for help!!! mybe a diagram of the network will help... - I add it in attachment (n1.jpg)
anyway some questions: - which version of TMG and Windows S.O. ? - Win2008R2 TMG 2010 latest CU - how clients interact with TMG? transparent or explicit proxy, isa client ? - just proxу, no ISA client - and if it's isa client have you checked if it's a MTU problem - no ISA client ))) - can you ping from TMG the affacted clients ? - yes! - there is any nat involved ? - nat only on TMG . In FGT rules NAT disabled - clients are hitting TMG from "internal" interface or another interface and if the latter how have you declater network rules - proxy on TMG on LAN interface, no special rules - Any from LAN to Internet via proxy.
P.S Problems with "internet via proxy on TMG" we have only on side 2 (on sheme). On side 3 we have no problems.
All configs in tunnels and rules on FGT same for all sides. We re-check all ((( We think its problems with DEVINDEX of ports on FGT. Problem side have more used ports (with IP) and FGT use it I think. We also have same problems in few other sides of network where we use FGT IPSEC. And have sides without problems.
I don't know how to fix problems ...
P.P.S.
tracert from problem side (client PC 192.168.1.62) to proxy srv
1 <1 мс <1 мс <1 мс 192.168.1.254 - (FGT LAN port on problem side 192.168.1.0/24) 2 5 ms 3 ms 2 ms X.X.X.X - (FGT WAN IP here) 3 3 ms 5 ms 5 ms gatecore [192.168.0.10] - (TMG 2010 Srv)
tracert from proxy srv to client PC on problem side
1 <1 мс <1 мс <1 мс 192.168.0.251 (FGT LAN port in 192.168.0.0/24) 2 * * * Timed out request
3 3 ms 5 ms 3 ms TSK-PER9-PS-WS3 [192.168.1.62] - client PC on problem side
Dizzy_Read wrote:anyway some questions:
- which version of TMG and Windows S.O. ? - Win2008R2 TMG 2010 latest CU
umm W2k8R2 has a wierd PDMTU behaviour..
what MTU do you have on site 2 line..without other encaps (PPPoE f.e. ) if IIRC des+md5+pad you should have 1446
you can chack using this handy tool
[link]https://www.elifulkerson.com/projects/mturoute.php[/link]
Dizzy_Read wrote:
- clients are hitting TMG from "internal" interface or another interface and if the latter how have you declater network rules - proxy on TMG on LAN interface, no special rules - Any from LAN to Internet via proxy.
so the site 2 network has been add to TMG internal nets , static route in place and TMG as two legs deploy..
Dizzy_Read wrote:P.S Problems with "internet via proxy on TMG" we have only on side 2 (on sheme). On side 3 we have no problems.
All configs in tunnels and rules on FGT same for all sides. We re-check all ((( We think its problems with DEVINDEX
what do you mean with "DEVINDEX" problem ?
from Your diagram I see a unique lan port (port20) so if Your confing does not has wrong routes o PBR rules I cannot see any problem to route multiple tunnels through lan port..
Based on what I see from the diagram at first glance I would hypothesize a MTU problem, but a good idea would also be to do a packet capture or at least a diag debug flow..
For missing hops on traceroute Bonni's response it's absolutely correct.
Regards,
Antonio
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.