Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Traffic going to odd address instead of tunnel?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic going to odd address instead of tunnel?
We expanded a subnet at a remote site and traffic from our main site to addresses in the new part of the remote subnet does not work. I have the correct subnet mask on the routes and on the IPSec VPN tunnel. I see the traffic in Forward Traffic being accepted and destined for the VPN interface, but if I do a traceroute the next hop after our firewall is 10.10.10.1 which is not on any network, route, or interface that we have at any site.
Traceroutes from a workstation show the firewall as the first hop and 10.10.10.1 as the second. Traceroutes from the firewall show that address as the first hop.
I'm sure more info is needed, please let me know what I can provide.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Created on 10-30-2024 10:56 AM Edited on 10-30-2024 10:58 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These all look healthy, except the diag debug flow, which gives the following:
id=65308 trace_id=1861 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, MY IP:1->192.168.111.38:2048) tun_id=TUNNEL IP from VPN TUNNEL NAME. type=8, code=0, id=1, seq=2183."
id=65308 trace_id=1861 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-14df90ee, original direction"
id=65308 trace_id=1861 func=npu_handle_session44 line=1224 msg="Trying to offloading session from VPN TUNNEL NAME to lan, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=1861 func=ip_session_install_npu_session line=364 msg="npu session installation succeeded"
id=65308 trace_id=1861 func=fw_forward_dirty_handler line=442 msg="state=00010204, state2=00000001, npu_state=02000400"
I can't find any info about that dirty handler message and am not sure what it means.
Additionally, I ran get router info routing-table details 192.168.111.38 on both ends of the tunnel and both show correct routes, which adds to my confusion.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bit of a breakthrough, I found that 10.10.10.1 DOES exist on the remote site router as the dmz interface. I changed that address and the traffic tried to go to the new address, so that IS where it's getting that from. Our dmz is tied to a physical port that is disconnected, so why is it trying to route traffic there? Even if I check the route to the dmz interface ip, it tells me it would use the default route out rather than the dmz interface.
Created on 10-31-2024 03:14 AM Edited on 10-31-2024 03:16 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the other side is FortiGate
+ if the tunnel does not have an IP assigned on the other side
=> the other side will not have an IP to use for the traceroute reply (it wants to use the egress interface IP towards the destination = the traceroute initiator), so it will use something "random". (typically the lowest-id interface's IP addr)
In order to see a meaningful IP in the traceroutes, add IPs to your tunnel interfaces (any sane /32s should be fine). If you want them to pass through tunnels and be router properly, make sure these new IPs are covered in phase2 selectors, routing tables, and firewall policies (if needed).
Nothing is being routed thorugh that DMZ IP/interface, it's just an artifact of the FGT not knowing which IP to use for tracert reply.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think because the DMZ IP is the smallest IP on the remote FGT. If you change it to like 254.254.254.254/32, probably you would see another interface IP in your traceroute.
But, the problem you want to solve is not the IP in the traceroute, but reachability when you expanded the remote subnet from 192.168.111(or 110).0/24 to 192.168.110.0/23. Right? Can you actually ping the destination 111.38 from the remote FGT? And, are you sure the destination device has the /23 in the subnet mask? I'm assuming the device's default GW is the remote FGT's interface IP.
Toshi
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SSH not answering through VIP 95 Views
- VXLAN over IPSEC - ARP Table... 115 Views
- Schedules not working after upgrading to... 47 Views
- Fortinet with Starlink. If not active... 67 Views
- Fortimail VM - Too many hops 83 Views
Labels
-
FortiGate
8,507 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
FortiSwitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
SSL SSH inspection
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1663 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.