Traffic of a specific VLAN not routed over VPN

comas17 · ‎10-20-2016

Hi all

(sorry for the long post but I tried to explain a very strange problem...) After a power outage in our remote office I'm having some strange problems with the VPN connection between our Headquarter (HQ) and our remote office (RO) Our HQ has a Fortigate 60D (firmware 5.2.1 build 618) Our RO has a Fortigate 60C (firmware 5.2.1 build 618) There is a static VPN (called AW_VPN) between HQ and RO used for PC network traffic and also for telephones In "network - interfaces - internal" I have configured a VLAN to be used for telephones HQ PC network is 192.168.20.x HQ phones network is 192.168.1.x RO PC network is 192.168.120.x RO phones network is 192.168.101.x In both firewall are configured the static routes to forward to the VPN (AW_VPN) the traffic for both networks (PC and phones) PC traffic works correctly; no problem to access from HQ to RO and viceversa

Now the problem: Phones DO NOT work correctly; in our HQ there is the switchboard and remote phones cannot connect it I tried to connect my PC to the phones network and these are the tests In our Headquarter Ping from HQ PC (192.168.1.234) to HQ firewall (192.168.1.252) OK Ping from HQ PC (192.168.1.234) to HQ switchboard (192.168.1.2) OK Ping from HQ PC (192.168.1.234) to RO firewall (192.168.101.252) OK Ping from HQ VI (192.168.1.234) to RO telephone (192.168.101.172) OK Ping from HQ PC (192.168.1.234) to RO PC (192.168.101.100) NOT OK In our remote office Ping from RO PC (192.168.101.100) to RO telephone (192.168.101.172) OK Ping from RO PC (192.168.101.100) to RO firewall (192.168.101.252) OK Ping from RO PC (192.168.101.100) to HQ firewall (192.168.1.252) NOT OK It seems to me that there is "something" blocking the telephone traffic from remote office to headquarter As I said the 2 static routes are correctly configured; take into consideration that everithing was working correctly and the problems appeared after a power outage. Some configurations are lost ? Which ? Maybe the firewall LAN port is damaged ? But also pc network traffic uses the same port and it works.. Any idea ? Thank you

RD5 · ‎10-20-2016

I have had a similar issue once where I had to bring the tunnel down and then back up, then it would work as designed. Have you tried that?

Did you check to make sure the policies are there and enabled?

Does the route show up in the routing monitor?

comas17 · ‎10-20-2016

Yes, I have tried to bring the tunnel down and then back up

I tried to reboot both firewalls

Polisies are in place and enabled and they show up in the routing monitor (see attached image)

I'm running out of ideas..

Maybe I could try to delete these routes and recreate them ?

RD5 · ‎10-21-2016

What do the policies look like?

What do your VPN phase 2 settings look like? Are all the networks defined?

Did anything else change other than the power outage?

fl0at0xff · ‎10-22-2016

Hello.

Please can show provide screenshots of your policies ? What is the result of a tracert from the impacted devices to the destination ? Are you sure that the concerned network is present in the IPSec tunnel configuration on both side ? it is really important to have exactly the same network (also called proxyID in some other firewalls). You can maybe try to just setup 0.0.0.0 0.0.0.0 in your network (in the configuration of ipsec tunnel) just to see if this solves the problem.

BR

comas17 · ‎10-24-2016

Hi all

solved !

It was, as you suggested, a problem of policy; one of them was incorrect

What I don't understand is that, as I said, I did not change anything on policies after power outage as I was thinking that everithing was correctly configured and working.

Maybe the correct policy was "running in memory" but not saved and after the reboot it restarted with an old one (not correct) ?

Could it be possible ?

Thank you all