I have two LAN networks: the first one is 192.168.1.0/24, and the second one is 10.0.0.0/24. Each LAN is directly connected to a FortiGate firewall. I have set up a site-to-site VPN using two FortiGate virtual machines running version 7.2.0. The VPN configuration was done using the wizard.
However, when I try to ping a host in the other subnet (for example, from 192.168.1.1 to 10.0.0.2), I don't receive any response. The ping requests seem to be unsuccessful.
I researched this issue and discovered that it might be related to the black hole route created by the VPN wizard template. If anyone has experienced this problem before, I would appreciate any suggestions or solutions for resolving it. If anyone has knowledge of how to fix this, please provide guidance.
Solved! Go to Solution.
@saneeshpv_FTNT @internet_contributer @jera @hbac @dbhavsar
I want to express my gratitude to everyone. I truly appreciate all your help. I understand that I've had many requests, but when it comes to work, it's important to get things done .the issue is not in the static route or in the policies , the issue was the fortigate it self , the version that i was working with it v7.2.0-build so when i change the version it work dirctly .
Please try to ping again but instead of running sniffer, you can run debug flow as follows:
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.0.0.2
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
hello friend i finaly know the issue but now haw can i solve it
so when i try to debug flow 2 hour ago and aplied some filter so so on after that i have noticed that in evry icmpt echo request the icmp session id change :
but so far i'm searching ho to solove this problem
i'm still thinking that the blackhole route may be the problem of this
an other thning thtat i have done also is traceroute of the packet
in my local host (192.168.12) i wrote in the cmd this commande and i have this result
do you thing guys that this problem is related to the gateway ??
because first hop usually is my lan interface on the fortigate which is 192.168.1.1 !
Try disable windows firewall on Win4 and Win5
By default windows firewall accept only localnet remote ip from icmp traffic.
hello friend
thank you for your support , but i have disabled win firewall from the begining .
For your Tunnel routes, you don't need to define a Gateway IP which you defined incorrectly as I see from one of the screenshots you shared earlier. The route just needs the tunnel interface name for it to forward the traffic to tunnel.
On Firewall A You need route to 10.0.0.0/24 via To-FW-B
config router static
edit 0
set dst 10.0.0.0/24
set device "To-FW-B"
next
end
On Firewall B You need route to 192.168.10/24 via To-FW-A
config router static
edit 0
set dst 192.168.10/24
set device "To-FW-A"
next
end
Having different session ID for ICMP traffic ECHO request is normal because ICMP session are short lived in the firewall and every new request FW creates a different session as you see sequence number & identifier is different for each of them.
Best Regards
hello
thank you for you support but in the two snapshots of the static route in the two fortigate the remote subnet is the group of adresses created by wizard template when i have configured the tunnel :
FW-A to FW-B_remote : is the subnet 10.0.0.0/24
FW-B to -FW-A_remote : is the subnet 192.168.1.0/24
and i thing that the comfiguration that you have gave it to me is the same thing of these route juste in the place of this groupe of addresses we will find juste like this
Hello @khalilbouzaiene1 ,
Let's collect output of the following debugs:
di de reset
diagnose debug flow filter saddr xx.xx.xx.xx <---SourceIP
diagnose debug flow filter daddr yy.yy.yy.yy <---DestinationIP
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
- Also please show the policies that was created by the wizard and the tunnel interface config using following command:
show full system interface <tunnel-name>
- Once done remove the route created by the wizard or disable it and create a same route manually this won't add the gateway.
hello @dbhavsar
thank you for your support
so the logs for this debug :
di de reset
diagnose debug flow filter saddr 192.168.1.2
diagnose debug flow filter daddr 10.0.0.2
di de flow filter proto 1
diagnose debug flow show function enable
diagnose debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 999
diagnose debug enable
are those :
FW-A # 2024-02-28 05:20:36 id=65308 trace_id=9 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=64."
2024-02-28 05:20:36 id=65308 trace_id=9 func=init_ip_session_common line=6076 msg="allocate a new session-000004b6, tun_id=0.0.0.0"
2024-02-28 05:20:36 id=65308 trace_id=9 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:36 id=65308 trace_id=9 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:36 id=65308 trace_id=9 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:36 id=65308 trace_id=9 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
2024-02-28 05:20:40 id=65308 trace_id=10 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=65."
2024-02-28 05:20:40 id=65308 trace_id=10 func=init_ip_session_common line=6076 msg="allocate a new session-000004bc, tun_id=0.0.0.0"
2024-02-28 05:20:40 id=65308 trace_id=10 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:40 id=65308 trace_id=10 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:41 id=65308 trace_id=10 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:41 id=65308 trace_id=10 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
2024-02-28 05:20:45 id=65308 trace_id=11 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=66."
2024-02-28 05:20:45 id=65308 trace_id=11 func=init_ip_session_common line=6076 msg="allocate a new session-000004c6, tun_id=0.0.0.0"
2024-02-28 05:20:45 id=65308 trace_id=11 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:45 id=65308 trace_id=11 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:45 id=65308 trace_id=11 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:46 id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
2024-02-28 05:20:50 id=65308 trace_id=12 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 192.168.1.2:1->10.0.0.2:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=67."
2024-02-28 05:20:50 id=65308 trace_id=12 func=init_ip_session_common line=6076 msg="allocate a new session-000004c9, tun_id=0.0.0.0"
2024-02-28 05:20:50 id=65308 trace_id=12 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
2024-02-28 05:20:50 id=65308 trace_id=12 func=iprope_dnat_tree_check line=823 msg="len=0"
2024-02-28 05:20:50 id=65308 trace_id=12 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-02-28 05:20:51 id=65308 trace_id=12 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-30.0.0.1 via FW-A to FW-B"
and for the policies created by the wizard are
here FW-A to FW-B_remote is 10.0.0.0/24 and FW-A to FW-B_local is 192.168.1.0/24
and finaly for the interface configuration
FW-A # show full system interface 'FW-A to FW-B'
config system interface
edit "FW-A to FW-B"
set vdom "root"
set vrf 0
set distance 5
set priority 1
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set ip 0.0.0.0 0.0.0.0
unset allowaccess
set arpforward enable
set broadcast-forward disable
set bfd global
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type tunnel
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set remote-ip 0.0.0.0 0.0.0.0
set description ''
set alias ''
set security-mode none
set ike-saml-server ''
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set role undefined
set snmp-index 9
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set dhcp-relay-request-all-server disable
set dns-server-override enable
set dns-server-protocol cleartext
set mtu-override disable
set wccp disable
set interface "port2"
next
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.