Issue in traffic flow in IPsec L3 VPN even when VPN is UP
We are facing traffic flow issue in IPSec VPN.VPN tunnel is up but we are facing traffic flow issue.
Remote side needs to reach local side server so whenever remote side initiate TCP connection, we observe sync packet coming out from VPN tunnel from remote side and we receive sync packet from vpn tunnel in incoming direction. Local side is able to sent sync-ack packet towards remote side from vpn tunnel but the sync-ack packet is not received in remote side FW due to which they are not able to sent ack packet which disallow tcp connection.
I have attached some log for your reference.
For more information,
NAT-T is disable , PFS is disable, auto-negotiate and auto-keep alive is also disable in VPN settings
Please understand the traffic flow for your reference
In remote side(Cisco ASA):-
VPN TUNNEL:- sync packet sent
In local side (FGT 500E):-
VPN tunnel:- sync packet received
VPN tunnel:- sync-ack sent
The sync-ack packet which is sent from local side does not reach at remote side due to which TCP three way handshake is incomplete.
As far as I understand SYN ACK packet is lost between FortiGate and Cisco ASA. In case I understand the scenario correctly you may consider to decrypt ESP packets sniffed on ISP side following the instructions below:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.