I have an IPSec tunnel established between two Fortigate 50e's. One is at our head office and the other at a branch site. The tunnel has been up for several weeks and traffic crosses the tunnel fine. Clients on one side are able to ping clients on the other network, or the firewall on the other side without issue.
I discovered that, from one of the firewalls, I can't ping the firewall on the other side. In fact I can't ping any device on the other network. Clients on either side can ping the other side without issue.
I'm thinking this has to be a routing issue. However I would think that the route that successfully moves traffic from the local network across to VPN tunnel to the other side would apply to the fortigate itself as well as devices on the connected networks.
ANy suggestions?
Thanks everyone!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just an update about this problem.
The problem I was trying to address was doing dns zone transfers from an active directory DNS server at the head office across a ipsec tunnel to a branch office. The DNS for the branch office is provided by the fortigate that is also the vpn tunnel.
Even though I configure the zone slave on the fortigate using the method in this KB
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server
the zone transfer fails. Note that the KB doesn't mention that you have to set your windows dns server to allow the zone transfer to take place. By default windows AD DNS is set to not allow zone transfers. It also doesn't hurt to set your windows dns server to use bind secondaries.
The reason the zone transfer fails is because the fortigate doesn't know what IP to use when sending the zone transfer so defaults to using the interface with the lowest index value (usually the first interface created on the device, wan1).
The resolution is to set the source IP on the dns database using the CLI.
The commands to do this are
#configure sys dns-database
#edit MyFunkyDomain <---- or whatever the name of the database you created is
#set source-ip x.x.x.x <--- IP that it should use as the source for the traffic
#next
#end
Once that is done, the zone transfer succeeds.
Thanks everyone for your input. Thanks to Fortinet telephone support, they resolved the issue quickly.
Hopefully this information will help anyone with a similar issue in the future.
Hi Westcana ,
My case is similar to you , I have an Ipsec tunnel between 2 sites and clients in each site can ping each other but I Cannot ping from both Fortigates the internal network in the other site.
What I actually need is : I have Splunk SIEM solution in one site so i configured both fortigates to send their logs to syslog and I put the Splunk SIEM server IP. I just receive logs from the fortigate in the same network with the Splunk SIEM server but I didn't receive any logs from the other fortigate in the other site. When I try to ping the splunk siem server from other fortigate it didn't reply. I even tried to ping the 1st fortigate from the 2nd fortigate but with no success.
Are you were able to solve the DNS issue only or you also solved the ping issue between both fortigates ? if you find a solution please share it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.