- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate VXLAN with virtual wire pair only works ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate VXLAN with virtual wire pair only works one way?
I have been trying to establish a VXLAN link to evaluate connecting two buildings with the same L2 VLANs over the internet.
The physical setup:
Site 1
Laptop 1 to untagged VLAN8 port on HPE Aruba 2530
Port on HPE Aruba 2530 with VLAN5 and VLAN8 tagged (nothing untagged) to "port15" on primary of Fortigate 200F (7.2.4) HA cluster
Site 2
Laptop 2 to untagged VLAN8 port on HPE Aruba 2530
Port on HPE Aruba 2530 with VLAN5 and VLAN8 tagged (nothing untagged) to "internal5" on Fortigate 60F (7.2.5)
Site 1 and 2 connected via Internet.
The problem I'm having is that only some of the traffic seems to get through the tunnel.
On site2, running a sniffer on 60F internal5 with no filter, I see a lot of UDP broadcast and ARP originating from
Site 1 as well as DHCP discovery from Laptop2. The laptop gets no DHCP offer but running wireshark I can see the same UDP broadcasts from site 1. Using a fixed IP and pinging resources on site1 also fails.
Running diagnose sys vxlan fdb list <vxlan> i get a list of mac addresses from site 1, on both VLANs, with remote_ip set to site1 of the tunnel.
Doing the same on Site 1 returns only a 00:00:00:00:00:00 mac pointing to site2 tunnel ip.
There I can't detect the traffic from site2. It seems that the tunnel only works one way? Are there any additional requirements on the switches besides handeling VLAN tagging?
I have been following "VLAN over IPsec tunnel with virtual wire pair" from the FortiOS 7.2.4 admin guide
https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/821119/vxlan-over-ipsec-tunn...
Any help I can get is much appreciated!
Configurations from both sites:
Site1:
config system vxlan
edit "vxlan-thn-wi"
set interface "Thn-Wi"
set vni 10
set remote-ip "10.199.10.2"
next
end
config system virtual-wire-pair
edit "vwp-thn-wi"
set member "port15" "vxlan-thn-wi"
set wildcard-vlan enable
next
end
config system interface
edit "Thn-Wi"
set vdom "root"
set ip 10.199.10.1 255.255.255.255
set type tunnel
set remote-ip 10.199.10.2 255.255.255.252
set snmp-index 18
set interface "EXTNet"
next
end
config system interface
edit "vxlan-thn-wi"
set vdom "root"
set type vxlan
set snmp-index 46
set interface "Thn-Wi"
next
end
config vpn ipsec phase1-interface
edit "Thn-Wi"
set interface "EXTNet"
set peertype any
set net-device disable
set proposal aes256-sha1
set remote-gw 11.22.33.44
set psksecret ENC xxxxxxxxxxxxxxxxxxxxxxxx
next
end
config vpn ipsec phase2-interface
edit "Thn-Wi"
set phase1name "Thn-Wi"
set proposal aes256-sha1
set auto-negotiate enable
next
end
config firewall policy
edit 68
set name "VWP-Thn-Wi"
set uuid 1f7b01d8-41a5-51ee-8fbd-d4220e557bdf
set srcintf "port15" "vxlan-thn-wi"
set dstintf "port15" "vxlan-thn-wi"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Site 2
config system vxlan
edit "vxlan-thn-wi"
set interface "Thn-Wi"
set vni 10
set remote-ip "10.199.10.1"
next
end
config system virtual-wire-pair
edit "vwp-thn-wi"
set member "internal5" "vxlan-thn-wi"
set wildcard-vlan enable
next
end
config system interface
edit "Thn-Wi"
set vdom "root"
set ip 10.199.10.2 255.255.255.255
set type tunnel
set remote-ip 10.199.10.1 255.255.255.252
set snmp-index 17
set interface "wan1"
next
end
config system interface
edit "vxlan-thn-wi"
set vdom "root"
set type vxlan
set snmp-index 18
set interface "Thn-Wi"
next
end
config vpn ipsec phase1-interface
edit "Thn-Wi"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha1
set remote-gw 55.66.77.88
set psksecret ENC xxxxxxxxxxxxxxxxxxxxxxxxx
next
end
config vpn ipsec phase2-interface
edit "Thn-Wi"
set phase1name "Thn-Wi"
set proposal aes256-sha1
set auto-negotiate enable
next
end
config firewall policy
edit 2
set name "VWP-Thn-Wi"
set uuid 6e274f4c-41ac-51ee-477a-d68e4bac6cee
set srcintf "vxlan-thn-wi" "internal5"
set dstintf "vxlan-thn-wi" "internal5"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
Labels:
- Labels:
-
FortiGate
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @InnovatumIT,
Your configuration looks correct. However, we don't see configuration of "port15" on primary of Fortigate and "internal5" on Fortigate 60F. Do those interfaces have VLAN subinterfaces configured? Is the traffic from laptop 1 and laptop 2 being tagged or not? You can try to ping from laptop 1 to laptop2 and run sniffer on both FortiGates to see how the traffic is flowing. (replace x.x.x.x with the destination IP address)
di sniffer packet any 'host x.x.x.x and icmp' 4 0 l
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hbac,
I haven't configured any VLANs on the Fortigate ports connecting to the switches. The 60F is "out of the box" and I only removed internal5 from the default internal network. Port15 on the main firewall is also removed from any other assignments.
-------------
config system interface
edit "port15"
set vdom "root"
set type physical
set snmp-index 37
next
end
------------
config system interface
edit "internal5"
set vdom "root"
set type physical
set snmp-index 37
next
end
I've tried connecting the two switches directly to verify that the VLAN trunk ports works ok.
Unfortunatly Laptop2 doesn't get an ARP reply to resolve the IP address and send ICMP ping. The ARP request can be seen on the 60F vxlan-interface:
diagnose sniffer packet any 'arp' 4 0 l
2023-08-28 12:02:05.019056 vxlan-thn-wi out arp who-has 192.168.102.11 tell 192.168.102.6
I can't find the same packet exiting on port15/vxlan-thn-wi on the other fortigate. On 60F there is a lot of other ARP-traffic originating from the main site so traffic seems to flow from Site1 to Site2 but not the other way.
IPSec GUI traffic stats on Site1 says 100B incoming and ~2 GB outgoing and Site2 says also ~2 GB Incoming but 5,33MB outgoing. Both Fortigates can ping eachother using the public IP on Wan.
When I bring the tunnel down and it reconnects, the "Incoming data" on Site1 once again stops at 100B.
I can't find see any errors when using the "Show matching logs" on IPSec status page on both Fortigates. Status also indicates that the tunnel is Up.
Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: I was able to get the vxlan link working by using set npu-offload disable on the ipsec phase1-interface on both Fortigates. Now I'm able to ping devices on both sides. I only get 250-300Mbit throghput so it would be great if npu offload could still be used somehow.
One issue that remains is that devices on the 60F side can only access devices on the same subnet on the 200F. The 200F is the gateway for the combined network but pings originating from accross the vxlan link going out to the internet seems to get no reply. I can see the first icmp request going out on port15, then out on the correct VLAN interface on x1 and finaly out on x1 itself. Subesquent requests stops at port15 and no icmp replies seems to come back from internet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @InnovatumIT,
It is better to run debug flow on both firewalls to see where the traffic is dropping. Below are an example of debug flow commands:
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 8.8.8.8
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
Created on 09-07-2023 06:18 AM Edited on 09-07-2023 06:18 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
virtual-wire-pair (VWP) is basically a tiny transparent-mode setup. No routing is expected, what enters port5 leaves out of the VXLAN virtual interface, and vice versa. No other path is possible for traffic entering/leaving these two ports. You cannot route traffic out of this setup.
To be able to do routing, you will need to change the setup and use a software switch instead of a VWP, and then you will be able to do <soft-switch> --> <destination interface> policies.
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I expected the VXLAN/Virtual Wire link to be transparent to most functions in the Fortigate as it was described as just a virtual cable between two switches. If I understand correcty, the traffic that exits the VW port is not routable even it it enters the fortigate again on a different port.
Our main F200 is using the 10G x1 port for all networks. They enter as a VLAN trunk and the F200 acts as FW/GW for VLAN interfaces on x1, including VLAN 5 and 8 that are passed through the VXLAN link.
Created on 09-11-2023 05:10 AM Edited on 09-11-2023 05:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a misunderstanding then.
The idea of virtual wire pair is that it is a "virtual wire". If a packet enters a wire on one side, it should leave on the other. That's all there is to it. A passing packet cannot be steered away from this pair of interfaces.
Switching, nor routing, is not a feature of a wire, whether it's physical, or virtual.
You could switch/route such packet further if you looped it back into a proper routed interface (or into a HW/SW switch interface; for example, if your internal5 was wired back into a different soft-switch interface on the FGT), but these setups have been known to cause issues, especially when UTM is involved. (a single packet passing twice through a single VDOM is "danger zone")
But back to your scenario: If the 200F is supposed to be the gateway for the subnet that is on both sides and VXLANed together, then my suggestion would be to "convert" the VWP on the 200F side into a soft-switch.
The 60F-side can stay as a VWP, unless you expect to occasionally want to route out of the subnet on the 60F already (e.g. what do you do when the 200F is down/unreachable? Is it OK for the subnet on the 60F side to stay cut off, or do you want to give it some backup internet access directly through that 60F?).
[ corrections always welcome ]
Created on 09-11-2023 10:18 PM Edited on 09-11-2023 10:26 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the fast reply! I'm going to try soft switch instead of virtual wire. You mention that the same packet appearing multiple times in the same VDOM is a problem. Could I create a new VDOM, used only for the VXLAN link config, to prevent the problem with packets not beeing routable after passing VXLAN-VW? Packets from 60F exits the VDOM2 VXLAN link through port 15, is then physically sent to root VDOM via x1? The VDOM2 would then need its own internet facing interface and ip i guess.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I've seen VDOMs used a couple times to deal with weird designs where a packet had to pass through the FortiGate twice. This would need to be done on the FortiGate which has both the VWP (in VDOM-X), and the interface which serves as the gateway for the subnet (VDOM-Y) to route traffic further.
[ corrections always welcome ]
Related Posts
- free vpn client certificate problems 27 Views
- Log messages when forwarding traffic 121 Views
- Issues with activating proxy mode in... 75 Views
- Multiple phase 2 selectors needed for... 177 Views
- Physical AP error on deleting WLAN... 170 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.