Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
djaquays
New Contributor

TCP Handshake not completing for HTTP traffic across IPSEC tunnel

Alright, I'll try to make this make sense on the first shot.  We have a remote site with a FortiGate 201E (6.0.2.. will refer to as Branch) that has a IPSEC tunnel back to our FortiGate 1500Ds (5.4.1.. will refer to as HQ).  The HQ then has multiple interfaces for various things (internal traffic, dmz, etc, etc) one of those interfaces is a physical connection to an ASA owned by another business, we'll call that Partner.

 

One the Branch I have a single rule from each internal interface to the IPSEC tunnel that is all:all:always:allow.  I then have various routes for subnets Branch needs to access through HQ and Partner.  All of my filtering/policy is being done at HQ (probably not the best for bandwidth usage, but easiest to maintain).  From the Branch location we are able to access everything needed on the HQ internal networks and the Partner networks EXCEPT for multiple http(s) sites at Partner.  In HQ I use the same PAT rule for all client devices (HQ-Internal and Branch-Internal) to access all Partner services and I have identical rules allowing HQ internal devices > Partner sites as I do for Branch internal devices > Partner sites.

 

I've used diag debug flow to verify that traffic is entering and exiting on the correct interfaces at both Branch and HQ.  Not sure what else to look at.

0 REPLIES 0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors