Dear Experts ,
I have two sites connected , FGT-60C and FGT-90D via IPSEC.
I have a strage issue with some hosts on my network .
host A (10.10.110.169, FGT-60C) pings host B over IPSEC (FGT-90D) and I get response
when I'm trying to do the same and ping from host B to host A I get timeouts.
I tried the following :
1. make sure I have a ping from FGT-60C to host A :
PING 10.10.110.169 (10.10.110.169): 56 data bytes
64 bytes from 10.10.110.169: icmp_seq=0 ttl=64 time=1.6 ms
64 bytes from 10.10.110.169: icmp_seq=1 ttl=64 time=1.0 ms
that worked fine .
then I tried to sniff this is what i get for host A pinging from ipsec network
diagnose sniffer packet any "host 10.10.110.169" 4
interfaces=[any]
filters=[host 10.10.110.169]
15.108871 IPSEC-Phones in 10.10.9.149 -> 10.10.110.169: icmp: echo request
15.109169 internal3 out 10.10.9.149 -> 10.10.110.169: icmp: echo request
19.203494 internal1 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.203494 PhonesSwitch in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.203675 internal3 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.212981 internal1 in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
19.212981 PhonesSwitch in 10.10.110.169.49155 -> 239.255.255.250.1900: udp 271
so I see the request but I see no reply from host B.
when I try another host on the network I see the following :
diagnose sniffer packet any "host 10.10.110.50" 4
interfaces=[any]
filters=[host 10.10.110.50]
1.295465 internal1 in arp who-has 10.10.110.80 tell 10.10.110.50
1.295465 PhonesSwitch in arp who-has 10.10.110.80 tell 10.10.110.50
1.295581 internal3 in arp who-has 10.10.110.80 tell 10.10.110.50
12.704045 internal1 in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
12.704045 PhonesSwitch in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
12.704252 internal3 in 10.10.110.50.138 -> 10.10.111.255.138: udp 214
15.914114 IPSEC-Phones in 10.10.9.149 -> 10.10.110.50: icmp: echo request
15.914434 internal3 out 10.10.9.149 -> 10.10.110.50: icmp: echo request
15.914941 internal3 in 10.10.110.50 -> 10.10.9.149: icmp: echo reply
15.915102 IPSEC-Phones out 10.10.110.50 -> 10.10.9.149: icmp: echo reply
I've also added a Any->Any policy to make sure nothing gets blocked.
Any help about how to go about troubleshooting this is much appreciated .
Thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So, 10.10.9.149 is on LAN B, right? You didn't show the sniff from the successful ping.
The packet leaves on physical port 'internal3' but there is no reply.
This can be due to many reasons. Are you sure host .110.169 will respond to pings (local software firewall?). Can you ping this host from it's local FGT (CLI)?
Another reason would be wrong routing on this host. It's gateway must be the local FGT. But, in this case you would see replies if sniffing on interface 'any', namely packets leaving the WAN interface. Except for if the host had NO gateway at all.
*host 10.10.110.169 has gw defined properly 10.10.110.1 FGT 60D local address.
*host 10.10.110.169 can ping LAB B.
I can ping successfully locally from FGT 60D:
first code section on my original post was the ping from the fw.
here is the sniff :
diagnose sniffer packet any "host 10.10.110.169"
interfaces=[any]
filters=[host 10.10.110.169]
2.713177 10.10.110.1 -> 10.10.110.169: icmp: echo request
2.713772 10.10.110.169 -> 10.10.110.1: icmp: echo reply
3.712383 10.10.110.1 -> 10.10.110.169: icmp: echo request
3.712955 10.10.110.169 -> 10.10.110.1: icmp: echo reply
4.712366 10.10.110.1 -> 10.10.110.169: icmp: echo request
4.712942 10.10.110.169 -> 10.10.110.1: icmp: echo reply
5.712397 10.10.110.1 -> 10.10.110.169: icmp: echo request
5.712975 10.10.110.169 -> 10.10.110.1: icmp: echo reply
6.402286 10.10.10.212.63773 -> 10.10.110.169.161: udp 80
6.402480 10.10.10.212.63773 -> 10.10.110.169.161: udp 80
6.712364 10.10.110.1 -> 10.10.110.169: icmp: echo request
6.712943 10.10.110.169 -> 10.10.110.1: icmp: echo reply
routing is on the entire subnet so I think it should be ok .
get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [5/0] via ***, ppp2
[5/0] via ***, ppp1
S 10.10.8.0/22 [10/0] is directly connected, IPSEC-Phones
S 10.10.85.0/24 [10/0] is directly connected, IPSEC- ***
S 10.10.100.0/24 [10/0] is directly connected, IPSEC- ***
C 10.10.108.0/22 is directly connected, internal3
C 10.10.112.0/24 is directly connected, dmz
C 10.10.114.0/24 is directly connected, PhonesVlan
C ***/32 is directly connected, ppp1
C ***/32 is directly connected, ppp2
C ***/32 is directly connected, ppp2
C ***/32 is directly connected, ppp1
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.