Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hbuenafe81
New Contributor III

Created on ‎05-30-2024 03:44 AM

ipsec vlan s2s loopback port not responding

 

Gentleman,

I need support, show below that port 2601 on server that is map on loopback 10.2.202.10 is getting reset, but going direct to server port is open. 

 

Need some help why going to loopback is resetting. 

ports.png

TBogs
TBogs
Labels:
774
0 Kudos
1 Solution
ozkanaltas
Valued Contributor II

Created on ‎05-30-2024 03:49 AM Edited on ‎05-30-2024 03:52 AM

Hello @hbuenafe81 ,

 

Can you run these diagnose commands and share the output with us? While running these commands you need to try to access 10.2.202.10:2601

 

 

 

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter dport 2601
diagnose debug flow trace start 100
diagnose debug enable

 

 

 

Also are you sure about, your TCP/2601 service status listening on the server? Can you try this with that command? 

 

execute telnet 10.3.131.120 2601

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

View solution in original post

If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
766
17 REPLIES 17
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎06-03-2024 11:19 PM Edited on ‎06-03-2024 11:20 PM

Hi ozkanaltas,

 

yes, you are correct that 10.2.202.10 is natted on router side, however the server port is not reachable if no nat on fortigate. This only happen on s2s setup.

 

note: 10.2.202.10 is directed natted to DMZ server. I created a sample below on router to avoid any impact on port 2601 as it use on prod.

   

ip nat inside source static tcp 10.3.131.160 7000 10.2.202.10 1205 extendable 

 

If I will not create a Nat on Fortigate it will not reach to server.

 

nat.png

TBogs
TBogs
254
0 Kudos
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎06-04-2024 03:02 AM

Hi Ozkanaltas,

 

Below debug if not nated to fortigate. Hope this help. 

 

1205.png

 

 

TBogs
TBogs
240
0 Kudos
ozkanaltas
Valued Contributor II
In response to hbuenafe81

Created on ‎06-04-2024 11:18 AM

Hi @hbuenafe81 ,

 

Sorry for my late reply.


Can you try without an AV profile on your policy? That line "Send to IPS" is related to the AV profile.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
224
0 Kudos
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎06-04-2024 10:46 PM Edited on ‎06-04-2024 10:47 PM

Hi Ozkanaltas,

 

Still same when i try to remove AV, i deleted create new policy with no restriction, below screenshot for your perusal. Btw, I've just notice that the its not reaching to the server if i will not create policy (10.2.202.10) nated to fortigate. If I nat it to fortigate them we get that message = outdev-unknown

 

1200-5.png

TBogs
TBogs
202
0 Kudos
ozkanaltas
Valued Contributor II
In response to hbuenafe81

Created on ‎06-04-2024 10:57 PM

Hello @hbuenafe81 ,

 

This debug output it seems without any problem.

 

Do you have a route on the router for return traffic?

 

And also can you try to configure source nat on the router for that traffic? Traffic seems to work asymmetrically.

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
195
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎06-04-2024 11:15 PM

Thanks for the prompt response.. Below trace and config showing that server is reachable from loopback and vice versa.

10.2.202.10.png

TBogs
TBogs
191
0 Kudos
ozkanaltas
Valued Contributor II
In response to hbuenafe81

Created on ‎06-05-2024 12:05 AM

Hi @hbuenafe81 ,

 

I am not good at Cisco configuration but these nat rules seem like dnat rules. 

 

Can you try source nat for that traffic? 

 

Also, why do you need nat traffic on the router? You can access your server directly from FortiGate. If you want to hide your IP address from the remote side you can also do this on FortiGate with VIP object.

 

In your scenario, your traffic flow should be like that. And this flow is not manageable in a long time. 

 

image.png

 

 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
169
hbuenafe81
New Contributor III
In response to ozkanaltas

Created on ‎06-05-2024 12:10 AM Edited on ‎06-05-2024 12:25 AM

Thank you ozkanaltas, appreciated much and I understand you, however I have multiple clients and connection using L3 MPLS setup which configure in routers. I'm not sure why server drop the request, unless i will NAT it on fortigate. Its like double natting happen.  Note other client is working except this s2s. 

TBogs
TBogs
166
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.