- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Fortigate can't ping via cli over VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate can't ping via cli over VPN
This has been really confusing me the past several days. I have IPSEC tunnels setup between my units and those work fine. If I use a device connected behind a subnet on device 'a' I can get to subnet 'b'. Therefore the VPN component is working. However, if I am at the CLI of a Fortigate I cannot ping or traceroute over the tunnel to the other subnet. The only way I can is if I specify in 'ping-options' to use the internal address of 'x' fortigate device, if done this way pinging works.
Problem being I think this is causing issues with my Fortigates being able to send logs, etc, up to my Fortimanager as it's over a VPN tunnel. Also, I really can't fathom why the unit wouldn't look in it's routing table and realize where it needs to send traffic it generates because there is a static route to the subnet I am attempting to access.
The more confusing part is that this appears to work fine for 40c/60d units. It does not on anything bigger such as 80d, 100d, or 300c.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way I can is if I specify in 'ping-options' to use the internal address of 'x' fortigate device, if done this way pinging works.
That's correct and the correct way. So pings are working if you source it correctly.
Are you sourcing the log via that same interface? Is that even a option in your unit(s)?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:The only way I can is if I specify in 'ping-options' to use the internal address of 'x' fortigate device, if done this way pinging works.
That's correct and the correct way. So pings are working if you source it correctly.
Are you sourcing the log via that same interface? Is that even a option in your unit(s)?
I see, strange it works on the lower end units with internal switch interfaces. Is there any valid reason it acts this way?
Not sure exactly what you are asking, but whatever is my internal interface is my management interface. So lets say my fortimanager is on: 10.10.100.5, but my Fortigate is at: 10.10.101.1. Fortimanager sees and connects to the unit at: 10.10.101.1. That works fine sending configs from Fortimanager, or retrieving information. However logs are not being transmitted from the unit up to the manager even though there is a valid tunnel. If I am in the GUI and try to 'test connectivity' it fails each time, and I can only assume it's because the unit is generating traffic and it doesn't go out the right interface. Is there anyway I can force traffic like this to go out 'x' interface?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
However logs are not being transmitted from the unit up to the manager even though there is a valid tunnel.
Have you looked at the "set source-ip x.x.x.x" option in the config syslogd settings? You can specify the source and in your case it would be a interface in the src-subnet range for the vpn.
I be you in your case the logs are being sent using the egress interface address and not a address routed thru the vpn.
Another option is to set layer3 address on the vpn-interface ( assuming you are using routed-based-vpn ) and use that as a source. You will need to ensure firewall policies allow the traffic.
Last option is to use the native ipsec encryption within FortiOS. This is depending on FortiOs versiob but if your in a FortiOS 5.x it should be supported.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:However logs are not being transmitted from the unit up to the manager even though there is a valid tunnel.
Have you looked at the "set source-ip x.x.x.x" option in the config syslogd settings? You can specify the source and in your case it would be a interface in the src-subnet range for the vpn.
I be you in your case the logs are being sent using the egress interface address and not a address routed thru the vpn.
Another option is to set layer3 address on the vpn-interface ( assuming you are using routed-based-vpn ) and use that as a source. You will need to ensure firewall policies allow the traffic.
Last option is to use the native ipsec encryption within FortiOS. This is depending on FortiOs versiob but if your in a FortiOS 5.x it should be supported.
Thank you, setting the syslog config worked! Kind of annoying that I have to dive down into the CLI commands for this, especially for all my units but it's easy enough to solve. I am confused as to why I set it for 'syslogd' and not for 'Fortianalyzer'.
However, would it be more of a recommended practice to enable FMG access on my 'wan' link and then secure the connection using FMG? Meaning if I were in device manager I'd right click on 'x' unit and there's 'secure connection' to create an IPSEC tunnel from FMG to the unit. Obviously I've not enabled that because it's currently all going internal so it's unnecessary.
One last question about the 'layer 3' option you mentioned above. I'm not entirely sure how I would do that (networking is not my strongest suit) and would it also take care of my CLI ping "issue"?
Related Posts
- Deep inspection with streaming media 6 Views
- Can't ping VLAN interfaces through VPN 59 Views
- NO internet connection when using static... 62 Views
- free vpn client certificate problems 134 Views
- SSL VPN on LTE Disconnecting Frequently 111 Views
Labels
-
FortiGate
6,533 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.