VXLAN communication not bidirectional between sites
Hello to all,
I have the following problem after implementing VXLAN between two FG-1000D running 7.2.4 OS through an IPsec tunnel (HQ and DR)..(I am in the implementing state so all policies allover are permit all to all):
1. when I login with ssl-vpn through the HQ FortiGate, using the configured policy, I CAN ping ESXi IPs from the remote site (DR) but I cannot access them through https although ALL services are permited on the VPN-> policy and the VWP policy.
On this side, I use and IP-pool to NAT the local VLAN...otherwise ping does not work.
2. When I login with ssl-vpn through DR FortiGate, using the configured policy, I CANNOT ping ESXi IPs from the HQ an also cannot https them.
On this side, if I use or do not use and IP-pool to NAT the local VLAN, the result is always the same...no ping or https.
3. Another mention which I don't know if it's relevant, those two FortiGate clusters are configured in VRRP. Could this be a problem? Could be an interference with the multicast policy for VRRP?
I used this resource for configuring VXLAN through IPsec:
SO BASICALLY THE CONCLUSION IS I CANNOT FIGURE OUT WHY THE TRAFFIC IS NOT BIDIRECTIONAL (yes, the policy is configured for both ways communication). When using sniffer the echo request goes through the tunnel but no echo reply
If anyone encountered a similar scenario please help!!!I just don't know what to try anymore...
From my experience on VXLAN deployment the MTU size can cause many unexpected behaviors. How did you deal with the MTU size in this setup? This equates to 50 B of overhead over the original frame: 14 B (Ethernet) + 20 B (IPv4) + 8 B (UDP) + 8 B (VXLAN headers). Since fragmenting a VXLAN packet is not recommended, it is advisable to increase the MTU size to 1550 B or above if possible, or to decrease the TCP MSS size inside a firewall policy.
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.