Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiNextDLP
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Traffic going to odd address instead of tunnel?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic going to odd address instead of tunnel?
We expanded a subnet at a remote site and traffic from our main site to addresses in the new part of the remote subnet does not work. I have the correct subnet mask on the routes and on the IPSec VPN tunnel. I see the traffic in Forward Traffic being accepted and destined for the VPN interface, but if I do a traceroute the next hop after our firewall is 10.10.10.1 which is not on any network, route, or interface that we have at any site.
Traceroutes from a workstation show the firewall as the first hop and 10.10.10.1 as the second. Traceroutes from the firewall show that address as the first hop.
I'm sure more info is needed, please let me know what I can provide.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can start by checking if the right route is installed on FG.
get router info routing-table all
AEK
AEK
Created on 10-28-2024 10:39 AM Edited on 10-28-2024 10:55 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have confirmed the 10.10.10.1 address is not in there and the route looks correct.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's probably a "Tunnel ID" started from 7.0. Run "get router info routing-t all" in CLI. You would see 10.10.10.1 like .....(recursive via <tunnel_name> tunnel 10.10.10.1).
And if that's the case the packets are going over the tunnel but the other end is not replying back.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have confirmed that the address is not in the routing table.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What then did you see the next hop for the expanded subnet in the routing-table?
Toshi
Created on 10-28-2024 10:46 AM Edited on 10-28-2024 10:47 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
S x.x.x.x/23 [10/0] via [TunnelName] tunnel x.x.x.x, [1/0]
As I think it should be? The IP addresses are correct.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try sniff the ping traffic while you're pining from a device behind the FGT.
diag sniffer packet any 'icmp and host <device_IP_or_destination_IP>' 4 0
You might need to disable ASIC offloading on the outgoing policy toward the tunnel
set auto-asic-offload disable
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I tried sniffing the ping traffic, some of my pings actually went through- about one in eight of them. The trace only showed anything on the pings that actually went through and came back and what it showed was correct. Then I did another traceroute and got a really weird response.
Tracing route to 192.168.X.X over a maximum of 30 hops
1 <1 ms <1 ms <1 ms MY.FIREWALL.local [192.168.firewall.ip]
2 38 ms 37 ms 37 ms 10.10.10.1
3 39 ms * * 192.168.X.X
4 * * * Request timed out.
5 * * * Request timed out.
6 39 ms * * 192.168.X.X
7 * * * Request timed out.
8 * * * Request timed out.
9 * 39 ms * 192.168.X.X
10 39 ms * * ^C
I also did a debug flow trace and that appeared to show what it should show as well.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then the 10.10.10.1 is definitely on the other side of the tunnel. You need to do the same trouble shooting (routing-table check, sniffing, and flow debug) on the other end.
Toshi
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiDeceptor, Monitor IP and Decoy IPs... 48 Views
- HA Issues 92 Views
- FG 81E - SD-wan rule with... 122 Views
- Publishsing multiple Web sites using FortiGate... 148 Views
Labels
-
FortiGate
8,295 -
FortiClient
1,677 -
5.2
801 -
FortiManager
699 -
5.4
639 -
FortiAnalyzer
529 -
FortiSwitch
450 -
FortiAP
444 -
6.0
416 -
FortiClient EMS
386 -
5.6
362 -
FortiMail
306 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
201 -
5.0
196 -
FortiWeb
194 -
FortiNAC
171 -
IPsec
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
78 -
Wireless Controller
76 -
Customer Service
75 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
55 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
47 -
vlan
46 -
ZTNA
44 -
FortiExtender
43 -
FortiDNS
42 -
FortiSandbox
41 -
Routing
38 -
DNS
37 -
BGP
36 -
FortiGate v5.4
35 -
LDAP
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
SSO
29 -
NAT
29 -
FortiConnect
28 -
Authentication
28 -
RADIUS
26 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
22 -
Virtual IP
22 -
Web profile
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
Traffic shaping
17 -
SSL SSH inspection
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
WAN optimization
13 -
FortiSOAR
12 -
FortiCASB
12 -
SNMP
12 -
Admin
12 -
Static route
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
Automation
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
Proxy policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1624 | |
| 1057 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.