Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Reshans
New Contributor

Created on ‎05-11-2025 07:37 PM

dial up vpn hq to hub and hub to hq traffic working but branch to branch traffic not workingno advpn

i setup this hub site with diaup ipsec option with igbp my issue spoke1 to spoke 2 not ping

But Branch 1 not showing in routing table branch 2 subnet.pngHUB side bgp network advertise branch 2 network.pngHUB Side Policy.pngtopology.png

Labels:
516
0 Kudos
1 Solution
syordanov
Staff
Staff

Created on ‎05-12-2025 06:29 AM

Dear Reshans,


The provided routing table in the first screenshot is from spoke 'SP1'?
Make sure the following :

HUB -> IPSec-> auto-discovery-sender is enabled
HUB -> BGP -> route-reflector-client is enabled

Spokes -> IPSec-> auto-discovery-receiver is enabled
Spokes -> BGP-> recursive-next-hop is enabled
Spokes -> BGP-> additional-path option is enabled

When the ICMP runns from SP1 to SP2, please run an IKE debug + sniffer to see if there is a traffic between SP1 and SP2 (IKE/ ESP or NAT-T 4500 UDP) :

IKE debug , run and check what happens on the HUB and spokes:

 


diagnose debug contime timestamp enable
diagnose debug application ike -1
diagnose debug enable

 

Once you have the debug, please check for ' send shortcut-query' / 'SHORTCUT_OFFER'

Sniffer:

 

diagnose sniffer packet any " host x.x.x.x and host y.y.y.y" 4 0 l

 Where x.x.x.x is the WAN IP of SP1 and y.y.y.y is the WAN IP of SP2. Make sure that there are no restrictions between SP1 and SP2 over port3 and port1(shortcut tunnel between SP1 with port3 and SP2 with port1).

 

Best regards,

Fortinet

.

View solution in original post

483
0 Kudos
2 REPLIES 2
syordanov
Staff
Staff

Created on ‎05-12-2025 06:29 AM

Dear Reshans,


The provided routing table in the first screenshot is from spoke 'SP1'?
Make sure the following :

HUB -> IPSec-> auto-discovery-sender is enabled
HUB -> BGP -> route-reflector-client is enabled

Spokes -> IPSec-> auto-discovery-receiver is enabled
Spokes -> BGP-> recursive-next-hop is enabled
Spokes -> BGP-> additional-path option is enabled

When the ICMP runns from SP1 to SP2, please run an IKE debug + sniffer to see if there is a traffic between SP1 and SP2 (IKE/ ESP or NAT-T 4500 UDP) :

IKE debug , run and check what happens on the HUB and spokes:

 


diagnose debug contime timestamp enable
diagnose debug application ike -1
diagnose debug enable

 

Once you have the debug, please check for ' send shortcut-query' / 'SHORTCUT_OFFER'

Sniffer:

 

diagnose sniffer packet any " host x.x.x.x and host y.y.y.y" 4 0 l

 Where x.x.x.x is the WAN IP of SP1 and y.y.y.y is the WAN IP of SP2. Make sure that there are no restrictions between SP1 and SP2 over port3 and port1(shortcut tunnel between SP1 with port3 and SP2 with port1).

 

Best regards,

Fortinet

.
484
0 Kudos
Reshans
New Contributor
In response to syordanov

Created on ‎05-12-2025 07:45 AM

Yes after enter above config my issue now sorted.

 

Spoke 1 to Spoke 2 ping successful.

 

Router received from hub .png

478
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.