Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kliminon
New Contributor

Remote Site --> HQ --> VPN/Azure

I have an IPSEC VPN built on a Fortinet 200E and working between our HQ and Azure. I have several VM's in Azure and traffic flows successfully. I now want to route traffic from some remote locations to Azure via the VPN. These locations are currently connected to HQ.

Basic topology: 

HQ - Lan1

Remote Locations - Wan1

Internet - Wan2

I have policies for HQ to Azure (Lan1 --> Azure VPN interface) and the remote locations (Wan1 --> Azure VPN interface). When pinging from a remote location I see the traffic handed off to the Azure VPN but nothing comes back. I see no traffic when pinging from Azure to the remote location. 

I believe that this indicates a problem on the Azure side but I have been unsuccessful in capturing packets to verify this. 

Dows anyone have any experience in this scenario?

Thanks

 

2 REPLIES 2
abarushka
Staff
Staff

Hello,

 

In case traffic is lost between FortiGate and Azure side you may consider to decrypt ESP packets. Please find the details by following the link below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Decrypt-ESP-packets/ta-p/198431?externalID...

nageentaj
Staff
Staff

Hi Team,

 kindly execute the below commands on  the fortigate firewall and share us the output.


Open cli of the firewall at HQ

#diag sniffer packet any 'host a.b.c.d and icmp' 4 0 a where a.b.c.d is the remote destination ip which is the private ip.

please do the continous ping to the destination ip and once the logs are generated ,please download and attach it to the case.

 

open another console @HQ

#diag sniffer packet any 'host a.s.d.f and icmp' 6 0 a where a.s.d.f is the remote gateway ip which is the public ip.

please do the continous ping to the gateway ip  and once the logs are generated you can download and share it here.

 

 

 

2)Kindly share us the logs for the below commands by executing on fortigate firewall.

 

#diagnose vpn tunnel list .

 

3)In another console 

#diag debug reset

#diag debug flow filter addr m.n.o.p   ===>where m.n.o.p is the  destination  ip which is the private  ip.

#diag debug flow filter proto 1

#diag debug flow show function-name enable

#diag debug flow trace start 1000

#diag debug enable

Please do the continous ping to the destination ip and share us the logs.

 

Once the logs are generated please execute below command to disable the debug logs.

#diag debug disable