i setup this hub site with diaup ipsec option with igbp my issue spoke1 to spoke 2 not ping
Solved! Go to Solution.
Dear Reshans,
The provided routing table in the first screenshot is from spoke 'SP1'?
Make sure the following :
HUB -> IPSec-> auto-discovery-sender is enabled
HUB -> BGP -> route-reflector-client is enabled
Spokes -> IPSec-> auto-discovery-receiver is enabled
Spokes -> BGP-> recursive-next-hop is enabled
Spokes -> BGP-> additional-path option is enabled
When the ICMP runns from SP1 to SP2, please run an IKE debug + sniffer to see if there is a traffic between SP1 and SP2 (IKE/ ESP or NAT-T 4500 UDP) :
IKE debug , run and check what happens on the HUB and spokes:
diagnose debug contime timestamp enable
diagnose debug application ike -1
diagnose debug enable
Once you have the debug, please check for ' send shortcut-query' / 'SHORTCUT_OFFER'
Sniffer:
diagnose sniffer packet any " host x.x.x.x and host y.y.y.y" 4 0 l
Where x.x.x.x is the WAN IP of SP1 and y.y.y.y is the WAN IP of SP2. Make sure that there are no restrictions between SP1 and SP2 over port3 and port1(shortcut tunnel between SP1 with port3 and SP2 with port1).
Best regards,
Fortinet
Dear Reshans,
The provided routing table in the first screenshot is from spoke 'SP1'?
Make sure the following :
HUB -> IPSec-> auto-discovery-sender is enabled
HUB -> BGP -> route-reflector-client is enabled
Spokes -> IPSec-> auto-discovery-receiver is enabled
Spokes -> BGP-> recursive-next-hop is enabled
Spokes -> BGP-> additional-path option is enabled
When the ICMP runns from SP1 to SP2, please run an IKE debug + sniffer to see if there is a traffic between SP1 and SP2 (IKE/ ESP or NAT-T 4500 UDP) :
IKE debug , run and check what happens on the HUB and spokes:
diagnose debug contime timestamp enable
diagnose debug application ike -1
diagnose debug enable
Once you have the debug, please check for ' send shortcut-query' / 'SHORTCUT_OFFER'
Sniffer:
diagnose sniffer packet any " host x.x.x.x and host y.y.y.y" 4 0 l
Where x.x.x.x is the WAN IP of SP1 and y.y.y.y is the WAN IP of SP2. Make sure that there are no restrictions between SP1 and SP2 over port3 and port1(shortcut tunnel between SP1 with port3 and SP2 with port1).
Best regards,
Fortinet
Yes after enter above config my issue now sorted.
Spoke 1 to Spoke 2 ping successful.
User | Count |
---|---|
2534 | |
1351 | |
795 | |
641 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.