TCP syn-only on VPN

vstrabello · ‎11-15-2014

Hello, we have a customer where we set a VPN to one of it's partners and when someone tries to access the server, it does not repond. By seeing on sniffer diagnose tool, I can see only syn flag on TCP and there´s no ack from the servers. We also have checked both the service (other partner accessing via VPN) and user at this impacted VPN just can do pings. How to proceed? VPN is UP and running.

Thanks!

Vitor

emnoc · ‎11-15-2014

Qs & checks

Diag debug flow is your friend. I'm assuming this is a site2site vpn between 2 FGTs?

Did you run a diag sniffer packet on both units at the same time?

Did you trip check the policies for both sides?

if it's a route-based vpn ( please say yes ) did you check for route on the server side point back to the client ( this may explain the missing syn-ack )

PCNSE

NSE

StrongSwan

mjcrevier · ‎11-15-2014

SSH to the firewall then edit the firewall policy for "inside" --> "IPSec Tunnel" and disable auto-asic-offload.

example:

config firewall policy

edit <Policy ID> set auto-asic-offload disable next

end

Rewanta_FTNT · ‎11-20-2014

Hi,

If you are running FGT NP2/NP4/NP6 equipped devices for the vpn tunnel, please open a support ticket for the investigating.

Rewanta