Dear All Guru,
i need urgent help. i have a 100D (V6.2.10) in HQ office. i was able to create Site to site VPN to two other site office which is using 100D as well.
Recently we have added a site office ( we called it C) which is using 80E ( v7.0.5). i manage to create and bring up IPSEC tunnel between HQ and C.
from C
- C fortigate 80E able to ping HQ fortigate 100D
- C server able to ping HQ server IP
from HQ
- HQ Fortigate 100D able to ping C fortigate 80E
- HQ Server not able to ping C Server IP.
The IPSEC tunnel already up between the 2 fortigate device, both device can ping to each other. but the server from the HQ cannot access to the C network. i have tried open entire subnet for both side access but it is still not working. any idea if i miss out any setting? Please help!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Dave,
Good day to you. If the respective traffic is meant to go out via IPSec tunnel CCECC-M1 IPSec tunnel, then your direction of the same subnet being used in both tunnels is correct. The traffic from 10.0.100.60 has been forwarded to Ent-M1 IPSec tunnel due to the conflict:
id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
You may want to consider changing the IP address scheme on CCECC site, or configure NAT between the tunnel to isolate CCECC-M1 and Ent-M1 IP addresses. Please refer to the following document for the idea of NATting the remote IP:
Cookbook | FortiGate / FortiOS 6.0.0 | Fortinet Documentation Library
HI Team,
Can you please check if windows firewall is enabled in C server may be that would be preventing the connection.
Also, just for testing can you enable NAT in VPN to LAN firewall policy, then check if it is pingable or not?
Thanks for your reply
i have tried enable NAT - still cannot.
both HQ Server and C server firewall has turn off. still cannot.
the strange things is I'm able to ping the C server IP from the HQ firewall by running below command.
exe ping-options source 10.0.100.1
exe ping 192.168.1.251
PING 192.168.1.251 (192.168.1.251): 56 data bytes
64 bytes from 192.168.1.251: icmp_seq=0 ttl=127 time=4.8 ms
64 bytes from 192.168.1.251: icmp_seq=1 ttl=127 time=5.1 ms
64 bytes from 192.168.1.251: icmp_seq=2 ttl=127 time=4.6 ms
64 bytes from 192.168.1.251: icmp_seq=3 ttl=127 time=4.7 ms
64 bytes from 192.168.1.251: icmp_seq=4 ttl=127 time=4.6 ms
--- 192.168.1.251 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4.6/4.7/5.1 ms
but if i use HQ server IP as source to ping, the connection failed.
exe ping-options source 10.0.100.60
exe ping 192.168.1.251
PING 192.168.1.251 (192.168.1.251): 56 data bytes
--- 192.168.1.251 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
any clue how can i resolve this? i have been checking on this for few days.
Hi Team,
Can you ping from c fortigate to c server?
Once check it.
Also provide me the information of destination ip address and :
get router info routing-table details (execute this command and share us the output)
Hi, Yes, i'm able to ping from C fortigate to C Server.
IP information for both HQ and C
HQ WAN IP : 129.126.136.124
HQ Fortigate: 10.0.100.1
HQ Server : 10.0.100.60
C WAN IP: 151.192.57.82
C Fortigate: 192.168.1.254
C Server IP: 192.168.1.251
(From C fortigate)
# get router info routing-table details
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 151.192.57.81, wan1, [1/0]
S 10.0.100.0/24 [10/0] via CCECC-M1 tunnel 129.126.136.124, [1/0]
C 151.192.57.80/30 is directly connected, wan1
C 192.168.1.0/24 is directly connected, lan
(From HQ fortigate)- we can see multiple S2S connections here
# get router info routing-table details
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 129.126.136.121, wan1
S 10.0.0.0/24 [10/0] is directly connected, Ent-M1
C 10.0.100.0/24 is directly connected, lan
S 10.212.134.0/24 [10/0] is directly connected, ssl.root
C 129.126.136.120/29 is directly connected, wan1
S 192.168.0.0/24 [10/0] is directly connected, HSL-M1
S 192.168.1.0/24 [10/0] is directly connected, Ent-M1
[10/0] is directly connected, CCECC-M1
S 192.168.10.0/24 [10/0] is directly connected, HSL-M1
[10/0] is directly connected, CCECC-M1
Hi Team,
If you are able to ping from c fortigate to c server, then please enable NAT in VPN to LAN rule in C fortigate, you should be able to ping.
It should work
Hi Seshuganesh,
I have tried enable NAT for VPN to LAN policy rule but it still not able to ping from HQ server to C Server.
In my HQ fortigate, i have multiple S2S VPN connection to other branch. One of the remote subnet is using the same subnet as C network ( 192.168.1.0/24). i'm wondering if this can cause conflict to VPN connection to C Server?
See below text in bold.
(From HQ fortigate)- we can see multiple S2S connections here
# get router info routing-table details
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 129.126.136.121, wan1
C 10.0.100.0/24 is directly connected, lan
C 129.126.136.120/29 is directly connected, wan1
S 192.168.1.0/24 [10/0] is directly connected, Ent-M1
[10/0] is directly connected, CCECC-M1
Hello,
Please share the output of below command :
(After running the below set of commands please try to ping the remote site from the local network)
diag deb reset
diag deb flow filter clear
diag deb flow filter saddr x.x.x.x
diag deb flow filter daddr y.y.y.y
diag debug flow filter proto 1
diag deb flow trace start 200
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diag deb en
After capturing the output, to disable debug clear
diag deb dis
x.x.x.x is the source ip
y.y.y.y is the destination IP
Putty 2
diag sniffer packet any " host x.x.x.x and host y.y.y.y " 6 0 a
after capturing the logs press "CTRL + C" to stop the debug
Hi Rathan,
may i know the set of command need to run in HQ or C fortigate ?
Created on 06-05-2022 07:12 AM Edited on 06-05-2022 07:14 AM
Hi Rathan,
I'm running the command in HQ fortigate
Please see below debug output. my understanding to the output is it seems that the connection is trying to go out to another VPN tunnel that has a similar remote subnet as C network.
Is it possible that this is due to conflict of same remote subnet for two remote location? both remote subnet is using 192.168.1.0/24 network.
ENTM1-FG100D3G17801676 # id=20085 trace_id=1 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=289."
id=20085 trace_id=1 func=init_ip_session_common line=5834 msg="allocate a new session-00100a6b"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
id=20085 trace_id=1 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=2 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=290."
id=20085 trace_id=2 func=init_ip_session_common line=5834 msg="allocate a new session-00100a71"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
id=20085 trace_id=2 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=3 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=291."
id=20085 trace_id=3 func=init_ip_session_common line=5834 msg="allocate a new session-00100a7a"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
id=20085 trace_id=3 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=4 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.0.100.60:1->192.168.1.251:2048) from lan. type=8, code=0, id=1, seq=292."
id=20085 trace_id=4 func=init_ip_session_common line=5834 msg="allocate a new session-00100a81"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.1.251 via Ent-M1"
id=20085 trace_id=4 func=fw_forward_handler line=630 msg="Denied by forward policy check (policy 0)"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.