Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fatherfinch
New Contributor

sFlow across an IPSec Tunnel

     I have an IPSec site to site tunnel between a FortiGate 110C and Cisco ASA5510.  There is a single NAT happening on the Fortigate side that translates the LAN addresses to a block of addresses.  All traffic between the hosts on the ASA side and hosts on the FortiGate LAN are working correctly.  The issue comes into play when self originated traffic from the 110C is pushed across the tunnel, in particular sFlow data.  When the source IP is set to default, the traffic is pushed from the WAN IP to the tunnel interface.  When the source IP is set as the LAN interface the traffic is being directed to the tunnel,  however, it is not using the NAT pool of addresses for the tunnel traffic. 

 

As a test I used IMCP to flesh this out.  

execute ping-options source 0.0.0.0

execute ping ASA HOST

this fails

execute ping-options source LAN IP

execute ping ASA HOST

this fails

execute ping-options source TUNNEL NAT POOL 

execute ping ASA HOST

this is successful

 

What am I missing to NAT self generated traffic?

 

Thanks!

 

1 Solution
emnoc
Esteemed Contributor III

I would diag debug flow is your friend. I would start with that, look at the diag output. I would pre-warn you tho, it's hard to get the "local" traffic SNAT. Since the fw-policies are not in play that has SNAT.

 

Alternative you could set a filter for the collector dst and run it thru the   diag sys session list

 

e.g assuming my collector was the following;

 

config system sflow     set collector-ip 9.9.9.1    <-------collector     set collector-port 65001     set source-ip 192.0.2.28 end

 

config system interface     edit "loop0"         set vdom "root"         set ip 192.0.2.28 255.255.255.255         set type loopback         set snmp-index 891     next end

 

So we would use  the following filter ;

 

diag sys session filter dst 9.9.9.1

diag sys session list

 

You will find your are most likely matching  the policy-id0 and not a "regular fwpolicy"

 

YMMV on  the diagnostic approach you take but to xlate from a local sourc'd packet is very hard todo.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
2 REPLIES 2
emnoc
Esteemed Contributor III

I would diag debug flow is your friend. I would start with that, look at the diag output. I would pre-warn you tho, it's hard to get the "local" traffic SNAT. Since the fw-policies are not in play that has SNAT.

 

Alternative you could set a filter for the collector dst and run it thru the   diag sys session list

 

e.g assuming my collector was the following;

 

config system sflow     set collector-ip 9.9.9.1    <-------collector     set collector-port 65001     set source-ip 192.0.2.28 end

 

config system interface     edit "loop0"         set vdom "root"         set ip 192.0.2.28 255.255.255.255         set type loopback         set snmp-index 891     next end

 

So we would use  the following filter ;

 

diag sys session filter dst 9.9.9.1

diag sys session list

 

You will find your are most likely matching  the policy-id0 and not a "regular fwpolicy"

 

YMMV on  the diagnostic approach you take but to xlate from a local sourc'd packet is very hard todo.

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
fatherfinch
New Contributor

Thanks emnoc!  I will give this a shot later on today when I have access to the system.  I just connected to local system to read through the output of the session list.  I will probably find my answer there.  

Labels
Top Kudoed Authors