Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rkhair
New Contributor

Site to site VPN, second hop through the DMZ interface?

Fortigate 100D 5.6.0 Hi, we have site to site VPNs setup with other offices, when you run a trace route it seems the second hop is always the DMZ interface? The interface is down and even disabled, yet still does it?!? Any ideas?? As you can see attached , first hop is our firewall (192.168.1.100), second hop is the DMZ interface (172.16.254.1) and then it reaches the device on other side of VPN (172.16.201.5).. Thanks
1 REPLY 1
bommi
Contributor III

Hi,

 

this is an normal behavior when using unnumbered ipsec interfaces.

This KB article describes the behavior and how to "workaround" it if you want:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36799&sliceId=1...

 

Regards,

bommi

NSE 4/5/7

NSE 4/5/7
Top Kudoed Authors