Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
khalilbouzaiene1
Contributor

ipsec vpn blackhole issue: i can't ping the other subnet throw the ipsec tunel

I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.

However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.

I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.

1 Solution
khalilbouzaiene1
Contributor

@saneeshpv_FTNT @internet_contributer  @jera  @hbac @dbhavsar 

I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies  , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly . 

View solution in original post

35 REPLIES 35
hbac

Hi @khalilbouzaiene1,

 

Please try to ping again but instead of running sniffer, you can run debug flow as follows:

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.0.0.2
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

khalilbouzaiene1

hello friend i finaly know the issue but now haw can i solve it 
so when i try to debug flow 2 hour ago  and aplied some filter so so on after that i have noticed that in evry icmpt echo request the icmp session id  change :
debug1.pngdebug2.pngdebug3.png

but so far i'm searching ho to solove this problem 

 

 

khalilbouzaiene1

i'm still thinking that the blackhole route may be the problem of this 

khalilbouzaiene1

an other thning thtat i have done also is traceroute of the packet 
in my local host (192.168.12) i wrote in the cmd this commande and i have this result 
sniffer 4.png

do you thing guys that this problem is related to the gateway ?? 
because first hop usually is my lan interface on the fortigate which is 192.168.1.1 !

 

netmin_02
New Contributor

Try disable windows firewall on Win4 and Win5

By default windows firewall accept only localnet remote ip from icmp traffic.

khalilbouzaiene1

hello friend 
thank you for your support , but i have disabled win firewall from the begining . 

saneeshpv_FTNT

@khalilbouzaiene1

 

For your Tunnel routes, you don't need to define a Gateway IP which you defined incorrectly as I see from one of the screenshots you shared earlier. The route just needs the tunnel interface name for it to forward the traffic to tunnel. 

 

On Firewall A You need route to 10.0.0.0/24 via To-FW-B

config router static
edit 0
set dst 10.0.0.0/24
set device "To-FW-B"
next
end


On Firewall B You need route to 192.168.10/24 via To-FW-A


config router static
edit 0
set dst 192.168.10/24
set device "To-FW-A"
next
end


Having different session ID for ICMP traffic ECHO request is normal because ICMP session are short lived in the firewall and every new request FW creates a different session as you see sequence number & identifier is different for each of them.

 

Best Regards

khalilbouzaiene1

hello  

thank you for you support  but in the two snapshots of the static route in the two fortigate  the remote subnet is the group of adresses created by wizard template when i have configured the tunnel :

FW-A to FW-B_remote : is the subnet 10.0.0.0/24
FW-B to -FW-A_remote : is the subnet 192.168.1.0/24 
and i thing that the comfiguration that you have gave it to me is the same thing of these route juste in the place of this groupe of addresses we will find juste  like  this  

dst : 10.0.0.0/24                    gw :30.0.0.1                   int : FW-A to FW-B
 

 

dbhavsar
Staff
Staff

Hello @khalilbouzaiene1 ,

Let's collect output of the following debugs:
di de reset
diagnose debug flow filter saddr xx.xx.xx.xx <---SourceIP
diagnose debug flow filter daddr yy.yy.yy.yy <---DestinationIP
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable

- Also please show the policies that was created by the wizard and the tunnel interface config using following command:
show full system interface  <tunnel-name>

- Once done remove the route created by the wizard or disable it and create a same route manually this won't add the gateway.

DNB
khalilbouzaiene1

hello @dbhavsar 

 

thank you for your support 

so the logs for this debug :

di de reset
diagnose debug flow filter saddr 192.168.1.2
diagnose debug flow filter daddr 10.0.0.2
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
are those  :


FW-A # 2024-02-28 05:20:36 id=65308 trace_id=9 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=64."
2024-02-28 05:20:36 id=65308 trace_id=9 func=init_ip_session_common line=6076 msg="allocate a new session-000004b6, tun_id=0.0.0.0"
2024-02-28 05:20:36 id=65308 trace_id=9 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:36 id=65308 trace_id=9 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:36 id=65308 trace_id=9 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:36 id=65308 trace_id=9 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
2024-02-28 05:20:40 id=65308 trace_id=10 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=65."
2024-02-28 05:20:40 id=65308 trace_id=10 func=init_ip_session_common line=6076 msg="allocate a new session-000004bc, tun_id=0.0.0.0"
2024-02-28 05:20:40 id=65308 trace_id=10 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:40 id=65308 trace_id=10 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:41 id=65308 trace_id=10 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:41 id=65308 trace_id=10 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
2024-02-28 05:20:45 id=65308 trace_id=11 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=66."
2024-02-28 05:20:45 id=65308 trace_id=11 func=init_ip_session_common line=6076 msg="allocate a new session-000004c6, tun_id=0.0.0.0"
2024-02-28 05:20:45 id=65308 trace_id=11 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:45 id=65308 trace_id=11 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:45 id=65308 trace_id=11 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:46 id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
2024-02-28 05:20:50 id=65308 trace_id=12 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=67."
2024-02-28 05:20:50 id=65308 trace_id=12 func=init_ip_session_common line=6076 msg="allocate a new session-000004c9, tun_id=0.0.0.0"
2024-02-28 05:20:50 id=65308 trace_id=12 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:50 id=65308 trace_id=12 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:50 id=65308 trace_id=12 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:51 id=65308 trace_id=12 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"

and for the policies created by the wizard are 
fgt1.png

here   FW-A to FW-B_remote is 10.0.0.0/24 and  FW-A to FW-B_local is 192.168.1.0/24

 

 

and finaly for the interface configuration 

FW-A # show full system interface 'FW-A to FW-B'
config system interface
edit "FW-A to FW-B"
set vdom "root"
set vrf 0
set distance 5
set priority 1
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set ip 0.0.0.0 0.0.0.0
unset allowaccess
set arpforward enable
set broadcast-forward disable
set bfd global
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type tunnel
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set remote-ip 0.0.0.0 0.0.0.0
set description ''
set alias ''
set security-mode none
set ike-saml-server ''
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set role undefined
set snmp-index 9
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set dhcp-relay-request-all-server disable
set dns-server-override enable
set dns-server-protocol cleartext
set mtu-override disable
set wccp disable
set interface "port2"
next
end

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors