Hi everyone,
I use fortigate 300D build the ipsec-vpn tunnel between Site A and Site B
Site A has two subnets, one is 10.80.0.0/24 the other one is 10.80.102.0/24
Site B has one subnet, 10.0.0.0/24
host 10.80.0.100 can ping host 10.0.0.98
here is the problem
At the beginning, 10.80.102.32 can't ping 10.0.0.98 ,but 10.0.0.98 can ping 10.80.102.32
When I use host 10.0.0.98 ping host 10.80.102.32 first,then host 10.80.102.32 can ping host 10.0.0.98
After I use "Ctrl + C"in cmd to stop the ping on host 10.0.0.98, then 10.80.102.32 can't ping 10.0.0.98 again..
Can someone please assist in directing me in the correct direction? I don't know where the problem is..
Thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
this looks like if it can find a route but doesn't match any policy ("Denied by forward policy check (policy 0)" - means no other policy matches then policy 0 (i.e. deny all from all via any interface) matches).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Please check the policies, esp. if they allow both subnets. What you see is that sessions can only be opened from one side.
The routing is OK obviously.
If the problem persists please post the policies and address object definitions.
I bet in rules, but can use the flow in both fortigates command line to get more info:
Start with a clean up (just in case)
diagnose debug disable
diagnose debug reset
then put the flow comands
diag debug flow filter addr <source ip>
diag debug flow show console enable
diag debug flow trace start 500
diag debug enable
Test the ping and see what the FG show
Clean the flow again
diagnose debug disable
diagnose debug reset
After this, you will have messages with the problem.
Make sure the phase 2 selectors match on both ends. If one is a subset of the other, you may see this happen.
For example: If site B is set for 10.1.1.0/24 and site A is 10.1.0.0./16, you will be able to open from A to B since A covers all of B, but not so the other way around. (If I can recall)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Thank you for your reply
Both site A and siteB are the same subnet in phase 2
I think the problem is on 10.0.0.98,I will use another server for test again
Thank you for your reply
I couldn't understand what the debug output mean..
id=20085 trace_id=102 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=1, 10.80.102.32:1->10.0.0.98:2048) from Corp VLAN 10. type=8, code=0, id=1, seq=26243." id=20085 trace_id=102 func=init_ip_session_common line=5047 msg="allocate a new session-196463f4" id=20085 trace_id=102 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.80.0.253 via Corp VLAN 10" id=20085 trace_id=102 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)" id=20085 trace_id=103 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=1, 10.80.102.32:1->10.0.0.98:2048) from Corp VLAN 10. type=8, code=0, id=1, seq=26244." id=20085 trace_id=103 func=init_ip_session_common line=5047 msg="allocate a new session-19646686" id=20085 trace_id=103 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.80.0.253 via Corp VLAN 10" id=20085 trace_id=103 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)" id=20085 trace_id=104 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=1, 10.80.102.32:1->10.0.0.98:2048) from Corp VLAN 10. type=8, code=0, id=1, seq=26245." id=20085 trace_id=104 func=init_ip_session_common line=5047 msg="allocate a new session-19646906" id=20085 trace_id=104 func=vf_ip_route_input_common line=2583 msg="find a route: flag=00000000 gw-10.80.0.253 via Corp VLAN 10" id=20085 trace_id=104 func=fw_forward_handler line=577 msg="Denied by forward policy check (policy 0)" id=20085 trace_id=105 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=1, 10.80.102.32:1->10.0.0.98:2048) from Corp VLAN 10. type=8, code=0, id=1, seq=26246."
this looks like if it can find a route but doesn't match any policy ("Denied by forward policy check (policy 0)" - means no other policy matches then policy 0 (i.e. deny all from all via any interface) matches).
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Thank you for your reply
I will double check for it
But I think the problem is on host 10.0.0.98
I will change another PC for test again
thank you
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.