I have two fortigate 60F which connected via ipsec (HQ office and branch office)
I need to allow users from branch office to connect to HQ's web server.
currently i can ping from HQ to branch office users, but not able from branch to HQ's office.
I am new to fortigate configuration, guys can u help me what i need to configure?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
resolved, on branch side the IPSec vpn settings was wrong (Wrong interface)
not matching p2 selectors would be seen in Flow Trace log explicitely. The log on the branch only states "denied by forward policy check (policy #0)" which means it got implicitely denied here. This happens either if there is no route to the destination or it did not match any of your policies.
So I'd suggest to check routing and policies on both side.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hello,
Here are the commands to collect debug flow:
diagnose debug flow filter addr 192.168.1.150
diagnose debug flow filter port 445
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
uzkfghq # diagnose debug enableid=65308 trace_id=1 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.1.150:445->192.168.50.130:46817) tun_id=89.218.164.118 from 2Tengiz-HQ. flag [.], seq 2917887795, ack 3457127391, win 254"
id=65308 trace_id=1 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, reply direction"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.50.130 via internal"
id=65308 trace_id=1 func=npu_handle_session44 line=1206 msg="Trying to offloading session from 2Tengiz-HQ to internal, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=1 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=2 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127391, ack 2917887796, win 513"
id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.164.118 via 2Tengiz-HQ"
id=65308 trace_id=2 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=82, len=2"
id=65308 trace_id=2 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=2 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=2 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=2 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=3 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.1.150:445->192.168.50.130:46817) tun_id=89.218.164.118 from 2Tengiz-HQ. flag [.], seq 2917887795, ack 3457127391, win 254"
id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, reply direction"
id=65308 trace_id=3 func=npu_handle_session44 line=1206 msg="Trying to offloading session from 2Tengiz-HQ to internal, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=3 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=4 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127391, ack 2917887796, win 513"
id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=4 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=4 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=4 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=4 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=4 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=5 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127391, ack 2917887796, win 513"
id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=5 func=npu_handle_session44 line=1206 msg="Trying to offloading session from internal to 2Tengiz-HQ, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=5 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=5 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=5 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=5 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=5 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=6 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.1.150:445->192.168.50.130:46817) tun_id=89.218.164.118 from 2Tengiz-HQ. flag [.], seq 2917887796, ack 3457127515, win 254"
id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, reply direction"
id=65308 trace_id=6 func=npu_handle_session44 line=1206 msg="Trying to offloading session from 2Tengiz-HQ to internal, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=6 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=7 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127515, ack 2917888064, win 512"
id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=7 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=7 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=7 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=7 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=7 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=8 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127514, ack 2917888064, win 512"
id=65308 trace_id=8 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=8 func=npu_handle_session44 line=1206 msg="Trying to offloading session from internal to 2Tengiz-HQ, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=8 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=8 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=8 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=8 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=8 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=9 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.1.150:445->192.168.50.130:46817) tun_id=89.218.164.118 from 2Tengiz-HQ. flag [.], seq 2917888064, ack 3457127515, win 254"
id=65308 trace_id=9 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, reply direction"
id=65308 trace_id=9 func=npu_handle_session44 line=1206 msg="Trying to offloading session from 2Tengiz-HQ to internal, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=9 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=10 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127514, ack 2917888064, win 512"
id=65308 trace_id=10 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=10 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=10 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=10 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=10 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=11 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.1.150:445->192.168.50.130:46817) tun_id=89.218.164.118 from 2Tengiz-HQ. flag [.], seq 2917888064, ack 3457127515, win 254"
id=65308 trace_id=11 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, reply direction"
id=65308 trace_id=11 func=npu_handle_session44 line=1206 msg="Trying to offloading session from 2Tengiz-HQ to internal, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=11 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=12 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.1.150:445->192.168.50.130:46817) tun_id=89.218.164.118 from 2Tengiz-HQ. flag [.], seq 2917888063, ack 3457127515, win 254"
id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, reply direction"
id=65308 trace_id=12 func=npu_handle_session44 line=1206 msg="Trying to offloading session from 2Tengiz-HQ to internal, skb.npu_flag=00000400 ses.state=00000200 ses.npu_state=0x01040001"
id=65308 trace_id=12 func=fw_forward_dirty_handler line=437 msg="state=00000200, state2=00000000, npu_state=01040001"
id=65308 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.130:46817->192.168.1.150:445) tun_id=0.0.0.0 from internal. flag [.], seq 3457127515, ack 2917888064, win 512"
id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0d1b0d2b, original direction"
id=65308 trace_id=13 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=13 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=13 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=13 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=13 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
this export from HQ FG
gents, can u help me, i have 2 sites with IP Sec, HQ can reach branch office e.g.ping, RDP but from branch office to HQ i cannot ping, or even open web server. can u help me what rules i need to check
resolved, on branch side the IPSec vpn settings was wrong (Wrong interface)
Hello,
Could you please mark it as resolved and latest message as a solution? Therefore, other forum users can benefit.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.