Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JuniorSilvaX93
New Contributor

Created on ‎11-05-2023 11:39 AM Edited on ‎11-09-2023 06:16 PM

strange behavior on IPSEC Tunnel - Fortigate v7.0.9 - Evaluation License - GNS3 

Hello dear,

I'm experiencing strange behavior on the FortiGate # with OS Evaluation License.

The laboratory was set up to simulate the following scenario.

C<->A<->B

"Point A" is a central node

So all the settings were made, they worked normally.

But apparently something causes the "point B" IPSEC tunnels to stop working from point A to point C.

After a reboot of the Point A Fortigate, everything works normally

if I Enter in DEBUG mode of Point A, it me shows this log:

FORTI1 # id=20085 trace_id=101 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:28988->192.168.2.1:2048) tun_id=192.168.15.180 fro
m A_PARA_C. type=8, code=0, id=28988, seq=26."
id=20085 trace_id=101 func=init_ip_session_common line=6024 msg="allocate a new session-00000dea, tun_id=192.168.15.180"
id=20085 trace_id=101 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-192.168.15.150 via LADO-A"
id=20085 trace_id=102 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:28988->192.168.2.1:2048) tun_id=192.168.15.180 from A_PARA_
C. type=8, code=0, id=28988, seq=27."
id=20085 trace_id=102 func=init_ip_session_common line=6024 msg="allocate a new session-00000dec, tun_id=192.168.15.180"
id=20085 trace_id=102 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-192.168.15.150 via LADO-A"
id=20085 trace_id=103 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:28988->192.168.2.1:2048) tun_id=192.168.15.180 from A_PARA_
C. type=8, code=0, id=28988, seq=28."
id=20085 trace_id=103 func=init_ip_session_common line=6024 msg="allocate a new session-00000def, tun_id=192.168.15.180"
id=20085 trace_id=103 func=vf_ip_route_input_common line=2605 msg="find a route: flag=00000000 gw-192.168.15.150 via LADO-A"
id=20085 trace_id=104 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.3.2:28988->192.168.2.1:2048) tun_id=192.168.15.180 from A_PARA_
C. type=8, code=0, id=28988, seq=29."

Detailing the tests:
Point A
LAN 192.168.1.1/24

Point B
LAN 192.168.2.1/24

Point C
LAN 192.168.3.1/24

If from 192.168.3.2 I send ICMP req to 192.168.1.2, when problem occurrs, I won't received any response. After reboot
of Point A, I can PING again.

Can anyone help?
Labels:
488
0 Kudos
2 REPLIES 2
Anthony_E
Community Manager
Community Manager

Created on ‎11-07-2023 10:21 PM

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
436
0 Kudos
hbac
Staff
Staff

Created on ‎11-08-2023 06:09 AM

Hi @JuniorSilvaX93,

 

So the issue is you can't ping from point C to point B? When the issue occurs, is the IPsec tunnel up or down? You also need to run debug flow on point B: 

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 192.168.2.1
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

414
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.