- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- unable to ping and open local web server from bran...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unable to ping and open local web server from branch office.
I have two fortigate 60F which connected via ipsec (HQ office and branch office)
I need to allow users from branch office to connect to HQ's web server.
currently i can ping from HQ to branch office users, but not able from branch to HQ's office.
I am new to fortigate configuration, guys can u help me what i need to configure?
AJ
AJ
Labels:
- Labels:
-
FortiGate
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Umirzak ,
Is PING allowed on HQ office? Sometime it has something to do with the Windows Firewall so it is worth checking. You may refer to the following article:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
just tried to debug from fortigate on branch office
tengizfg # dia deb flow filter addr 192.168.50.99 (this is HQ's Fortifate)
tengizfg # dia deb flow filter proto 1
tengizfg # dia deb flow trace start 100
tengizfg # dia deb en
tengizfg #
tengizfg # id=65308 trace_id=92 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Teng
izlan. type=8, code=0, id=1, seq=96."
id=65308 trace_id=92 func=init_ip_session_common line=6009 msg="allocate a new session-00248759, tun_id=0.0.0.0"
id=65308 trace_id=92 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=92 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=92 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=93 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=97."
id=65308 trace_id=93 func=init_ip_session_common line=6009 msg="allocate a new session-002487fa, tun_id=0.0.0.0"
id=65308 trace_id=93 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=93 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=93 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=94 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=98."
id=65308 trace_id=94 func=init_ip_session_common line=6009 msg="allocate a new session-0024887c, tun_id=0.0.0.0"
id=65308 trace_id=94 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=94 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=94 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=95 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=99."
id=65308 trace_id=95 func=init_ip_session_common line=6009 msg="allocate a new session-002488cd, tun_id=0.0.0.0"
id=65308 trace_id=95 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=95 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=95 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=96 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=100."
id=65308 trace_id=96 func=init_ip_session_common line=6009 msg="allocate a new session-00248927, tun_id=0.0.0.0"
id=65308 trace_id=96 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=96 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=96 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=97 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=101."
id=65308 trace_id=97 func=init_ip_session_common line=6009 msg="allocate a new session-002489a1, tun_id=0.0.0.0"
id=65308 trace_id=97 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=97 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=97 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=98 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=1, 192.168.1.150:1->192.168.50.99:2048) tun_id=0.0.0.0 from Tengizlan. type
=8, code=0, id=1, seq=102."
id=65308 trace_id=98 func=init_ip_session_common line=6009 msg="allocate a new session-00248a1a, tun_id=0.0.0.0"
id=65308 trace_id=98 func=vf_ip_route_input_common line=2611 msg="find a route: flag=04000000 gw-89.218.165.138 via 2HQ"
id=65308 trace_id=98 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=32, len=1"
id=65308 trace_id=98 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
AJ
AJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would recommend to check whether IPsec phase2 subnets are configured correctly and whether firewall policies are configured on both sides.
You may consider to sniff the traffic and collect debug flow in order to isolate the issue while the issue is reproduced:
Sniffer:
diagnose sniffer packet any 'host <destination IP address>' 4 0 a
Debug flow:
diagnose debug flow filter daddr <destination IP address>
diagnose debug flow show function-name enable
diagnose debug flow trace start 100
diagnose debug enable
FortiGate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is extract from my HQs fortigate, tried to perform same commands on brancha fortigate it gives me nothing
uzkfghq # diagnose sniffer packet any host 192.168.1.150 4 0 a
interfaces=[any]
filters=[host]
pcap_snapshot: snaplen raised from 0 to 262144
pcap_compile: can't parse filter expression: syntax error
uzkfghq # diagnose debug flow filter daddr 192.168.1.150
uzkfghq # diagnose debug flow show function-name enable
show function name
uzkfghq # diagnose debug flow trace start 100
uzkfghq # diagnose debug enable
uzkfghq # id=65308 trace_id=12 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.197:49572->192.168.1.150:3389) tun_id=0.0.0.0 from
internal. flag [.], seq 2231500958, ack 1035991134, win 511"
id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0877472b, original direction"
id=65308 trace_id=12 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=12 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=12 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=12 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=12 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=17, 192.168.50.197:63315->192.168.1.150:3389) tun_id=0.0.0.0 from internal.
"
id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-08774731, original direction"
id=65308 trace_id=13 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=13 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=13 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=13 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=13 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=14 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.197:49572->192.168.1.150:3389) tun_id=0.0.0.0 from internal.
flag [.], seq 2231500958, ack 1035991235, win 511"
id=65308 trace_id=14 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-0877472b, original direction"
id=65308 trace_id=14 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=14 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface 2Tengiz-HQ, tun_id=0.0.0.0"
id=65308 trace_id=14 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel 2Tengiz-HQ vrf 0"
id=65308 trace_id=14 func=esp_output4 line=896 msg="IPsec encrypt/auth"
id=65308 trace_id=14 func=ipsec_output_finish line=629 msg="send to 89.218.165.137 via intf-wan1"
id=65308 trace_id=15 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.50.197:49572->192.168.1.150:3389) tun_id=0.0.0.0 from internal.
flag [.], seq 2231500958, ack 1035991336, win 510"
AJ
AJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
finally i need to open port 80, 443 from remote fortigate.
AJ
AJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
There is a typo in the sniffer. Correct syntax: "diagnose sniffer packet any 'host 192.168.1.150' 4 0 a"
As far as I understand the issue is resolved. If it is correct, please tag the thread as resolved.
FortiGate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok see below
uzkfghq # diagnose sniffer packet any 'host 192.168.1.150' 4 0 a
interfaces=[any]
filters=[host 192.168.1.150]
2024-06-19 07:50:40.786918 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:42.802375 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:44.802757 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:46.806683 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:48.827926 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:50.828242 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:52.828429 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:54.828418 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:56.828813 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:50:58.829033 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
2024-06-19 07:51:00.829253 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: rst 1518787425 ack 2164524931
no still unable to reach host from remote FG to HQ FG.
AJ
AJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
same command tried from remote FG
tengizfg # interfaces=[any]
Unknown action 0
tengizfg # filters=[host 192.168.1.150]
Unknown action 0
tengizfg # 2024-06-19 07:50:40.786918 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:42.802375 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:44.802757 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:46.806683 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:48.827926 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:50.828242 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:52.828429 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:54.828418 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:56.828813 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:50:58.829033 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: 1518787424 ack 2164524931
Unknown action 0
tengizfg # 2024-06-19 07:51:00.829253 2Tengiz-HQ in 192.168.1.150.445 -> 192.168.50.130.11389: rst 1518787425 ack 2164524931
AJ
AJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I can see that the packet is received "Tengiz-HQ in", however packet is not forwarded. I would recommend to check debug flow output using port 445 as a filter.
FortiGate
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Accessing FortiProxy Explicit Proxy from Internet... 128 Views
- FortiClient - SAML Login with Azure... 168 Views
- Help with WiFi SSID DNS issue... 493 Views
- Routing Problem to DHCP Relay 517 Views
Labels
-
FortiGate
7,139 -
FortiClient
1,408 -
5.2
801 -
5.4
639 -
FortiManager
619 -
FortiAnalyzer
454 -
6.0
416 -
FortiAP
373 -
FortiSwitch
369 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
126 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
94 -
FortiCloud Products
89 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiExtender
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
LDAP
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
Routing
16 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
FortiRecorder
10 -
Application control
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
4.0
7 -
Admin
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
IPS signature
5 -
Packet capture
5 -
Automation
5 -
DNS Filter
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiCache
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Web rating
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Fortinet Engage Partner Program
3 -
Traffic shaping profile
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1059 | |
| 883 | |
| 525 | |
| 441 | |
| 147 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.