Hello, we have a customer where we set a VPN to one of it's partners and when someone tries to access the server, it does not repond. By seeing on sniffer diagnose tool, I can see only syn flag on TCP and there´s no ack from the servers. We also have checked both the service (other partner accessing via VPN) and user at this impacted VPN just can do pings. How to proceed? VPN is UP and running.
Thanks!
Vitor
Qs & checks
Diag debug flow is your friend. I'm assuming this is a site2site vpn between 2 FGTs?
Did you run a diag sniffer packet on both units at the same time?
Did you trip check the policies for both sides?
if it's a route-based vpn ( please say yes ) did you check for route on the server side point back to the client ( this may explain the missing syn-ack )
PCNSE
NSE
StrongSwan
SSH to the firewall then edit the firewall policy for "inside" --> "IPSec Tunnel" and disable auto-asic-offload.
example:
config firewall policy
edit <Policy ID> set auto-asic-offload disable next
end
Hi,
If you are running FGT NP2/NP4/NP6 equipped devices for the vpn tunnel, please open a support ticket for the investigating.
Rewanta
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.