Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sivakumar28200
New Contributor

Created on ‎08-01-2018 07:43 PM

Site to Site VPN

Hi Guys,

 

Kindly help me on this. I have fortinet firewall and i have form site to site VPN but i unable to reach/ping 172.17.10.137:514. 

Here is the debug log.

-- 172.17.10.137 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss FGT90D3Z13005673 # exe no object in the end Command fail. Return code -160 FGT90D3Z13005673 # diag debug enableid=20085 trace_id=33 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=33 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=33 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=33 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=33 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=33 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=34 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=34 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=34 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=34 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=34 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=34 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=35 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=35 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=35 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=35 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=35 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=35 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=36 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=36 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=36 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=36 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=36 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=36 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=37 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=37 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=37 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=37 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=37 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=37 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=38 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=38 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=38 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=38 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=38 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=39 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=39 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=39 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=39 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=39 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=39 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=40 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=40 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=40 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=40 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=40 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=40 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=41 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=41 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=41 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=41 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=41 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=41 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=42 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=42 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=42 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=42 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=42 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=42 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=43 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=43 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=43 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=43 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=43 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=43 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=44 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=44 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=44 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=44 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=44 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=44 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=45 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=45 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=45 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=45 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=45 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=45 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=46 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=46 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=46 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=46 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=46 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=46 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1" id=20085 trace_id=47 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=17, 210.186.145.206:1031->172.17.10.137:514) from local. " id=20085 trace_id=47 func=resolve_ip_tuple_fast line=5306 msg="Find an existing session, id-003dc74f, original direction" id=20085 trace_id=47 func=__ip_session_run_tuple line=3128 msg="SNAT 210.186.145.206->172.16.11.10:1031" id=20085 trace_id=47 func=ipsec_tunnel_output4 line=1223 msg="enter IPsec tunnel-KN2AIMS" id=20085 trace_id=47 func=esp_output4 line=1175 msg="IPsec encrypt/auth" id=20085 trace_id=47 func=ipsec_output_finish line=534 msg="send to 210.186.145.205 via intf-wan1"

22231
0 Kudos
17 REPLIES 17
sivakumar28200
New Contributor
In response to Toshi_Esumi

Created on ‎08-05-2018 09:59 PM

How do I do that to enable debug log once connected

2428
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to sivakumar28200

Created on ‎08-05-2018 10:01 PM

Just disconnect then reconnect.

2428
0 Kudos
sivakumar28200
New Contributor
In response to Toshi_Esumi

Created on ‎08-05-2018 10:38 PM

I have done that few times. Can form the VPN tunnel but unable to ping.

2428
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to sivakumar28200

Created on ‎08-05-2018 11:14 PM

If the client can't get an IP handed over, something must have went wrong when it establishes the connection. That's whet you should track down by the ike debugging.

When you open a ticket with TAC, what they would do is, first, checking the config on the fortigate and FortiClient, then if they look fine they would ask you to set up a remote debugging session and they run the IKE debug through your PC while you reconnect the VPN to see anything is wrong with the negotiation. You can always go that path.

2428
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to sivakumar28200

Created on ‎08-02-2018 09:05 AM

The image format is broken so I can't see your policies but so 210.186.145.206 in your flow trace is IP on the other end? It's a public IP that belongs to TMNET, MY. Are you leasing subnets from them for your internal useage?

2428
0 Kudos
sivakumar28200
New Contributor
In response to Toshi_Esumi

Created on ‎08-02-2018 07:28 PM

Hi There,

 

Both ip is a public ip. I can form VPN tunnel but unable to ping 203.223.137.87.Thanks

 

sophos -203.223.137.87

fortinet - 210.186.145.206

2428
0 Kudos
Iescudero
Contributor II
In response to sivakumar28200

Created on ‎08-03-2018 07:03 AM

Hi sivakumar

203.223.137.87 and 210.186.145.206 must be the peer ip address, right?, you should ping to 172.17.10.137 and see the logs on the sophos side to see why this is happening. Once you have the logs, post it it here.

 

See you!

 

 

2428
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎08-03-2018 08:37 AM

A VPN is to connect private-to-private over a tunnel established public-to-public peers. You should test ping between both ends private-to-private, and you should be able to if it's working properly.

2428
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.