Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- VPN not working after update firmware
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 03-07-2007 07:25 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
VPN not working after update firmware
After I update firmware my VPN not working, following is my scenario
FGT 100A 3.0 build 0477 operation mode NAT
FGT 50A 3.0 build 0406 operation mode Transparent
VPN connecting from FGT 50A to FGT 100A
Is it need any config. changes
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Did you follow the correct upgrade path when moving from v2.80 to v3MR4? You have to go through v2.8MR11 or higher first, before going to v3MR4. Check out the FortiOS v3.00 MR4 release notes (section 3.2) for more information.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Yes I follow 2.8 MR11 then 3.0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Dear Mr. Paul,
This is true the source IP is different from which I expected, so how can I correct the problem, I reconfigured the VPN in both end but still the result is same.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Before you start guessing, pls debug the problem.
in cli:
diag debug enable
diag debug app ike 3
you will get messages on the screen and if you capture them it will be easy to see the problem.
stop logging with diag debug disable
cheers, eric
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi Sabuthomas,
on the firewall that is receiving the incoming packets with the wrong source address (eg the 100A) edit the phase1 vpn settings for that vpn and change the gateway IP to the IP which is the source of the incoming packet coming from the other firewall (eg the 50A)
Beware though, if you upgrade the firewall firmware it may start using the correct IP. That' s my experience of the problem.
You could also configure the FG to use a phase1 interface and specify an IP address for that VPN interface. That way all packets coming from the FG for that VPN should use the source IP you expect.
Hope that helps and my explanation is clear.
Cheers
Paul
NSE4
NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi Paul,
I did the same experiment; my tunnel is up but no network access,
FGT 50A Remote gateway type is Static IP Address and IP address is 83.111.---.--- this is the public IP of my remote FGT 100A
When I check the incoming traffic from 50A I found another IP 83.110.---.---
When I set this IP in FGT100A as remote gateway, my tunnel is up but I could not have any network access.
Please help me to configure VPN phase 1 in 100A as per following scenario
Main office FGT 100A NAT mode
Branch office FGT 50A Transparent mode
Branch office connect to main office, main office did not need any network access to branch office
When firmware was 2.8 my connection was fine, after I upgrade to 3 following become my vpn configuration
FGT 50A
Remote Gateway: Static IP Address
IP Address 83.111.---.---
FGT100A
Remote Gateway: DynamicDNS
Dynamic DNS: blank
(If I change Dynamic DNS to Static IP Address and IP address become same incoming address from FGT50A then my tunnel up, but no network access)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi Sabuthomas,
sounds like you are making progress. If your phase2 tunnel shows up at both ends then phase1 and phase2 are correctly configured.
Next you need to look at your firewall policies assuming you are not using VPN interface mode which requires very different configs.
On both firewalls under " Firewall -> Address" make sure you have defined both local and remote networks eg: FG100A = 10.10.10.0/24 and FG50A = 10.20.20.0/24.
For each firewall under " Firewall -> Policy" make sure you have defined an encryption policy such as:
FG50A - Internal (10.20.20.0/24) to External (10.10.10.0/24) Always Any IPSEC and select your phase2 tunnel.
FG100A - Internal (10.10.10.0/24) to WAN1 (10.20.20.0/24) Always Any IPSEC and select your phase2 tunnel.
Make sure the polices are at the top of the list and that should work.
Let me know how you get on.
Cheers
Paul
NSE4
NSE4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Dear All,
Finally I had successfully up my tunnel, my heartiest thanks to all for participating this topics and giving your valuable ideas.
Following is the solution which we found after our experiments when we upgrading firmware from 2.8 to 3
Solution is based on my following scenario
Main office FGT100A old firmware 2.8 MR11 upgraded to 3.00 build 0477 mode NAT
Branch office FGT50A old firmware 2.8 upgraded to 3.0 build 400, mode transparent, connecting through internet using DSL
Brach office connecting to main office no connection needs main office to branch office.
Following is VPN config before upgrading
FGT 50A
Remote Gateway: Static IP Address
IP Address: Public IP of FGT100A
FGT100A
Remote Gateway: Dynamic DNS
Dynamic DNS: <blanks>
Following changes we need to do when we upgrading to 3.0
No changes need in FGT50A
In FGT100A Dynamic DNS need value (I did a trick to get the DNS value by typing tracert <incoming ip address of FGT50A> in command prompt)
Thanks once again to all
Sabu Thomas, MBA, CISM,CISA
IT Manager
Minako General Trading CO LLC
Dubai, U.A.E
sabu@minako.ae
www.minako.ae
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Problem with upgrading FortiGate from FortiManager 53 Views
- FortiAP 221E Not Broadcasting After Update... 258 Views
- 100D API support 185 Views
- What is the best way to... 449 Views
- FortiWeb API v2 Create Rule and... 211 Views
Labels
-
FortiGate
8,382 -
FortiClient
1,694 -
5.2
801 -
FortiManager
709 -
5.4
639 -
FortiAnalyzer
538 -
FortiSwitch
454 -
FortiAP
450 -
6.0
416 -
FortiClient EMS
397 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
195 -
IPsec
179 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
52 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
Authentication
30 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1640 | |
| 1066 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.