fwiw , you can  add  address to the tunnel interfaces.

Tnx for answer!!! I try set IPs in IPSec interface, work like in document

http://kb.fortinet.com/kb/documentLink.do?externalID=FD36799 

I see this IPs in tarcert, but Internet via TMG not working propery ... TMG said - unknown source ... It can't check this source IPS i thunk

May be i do something wrong???

We have few tunnels on another FGT without problems like this ((( only difference - connected ports

I don't know how fix this problems ((( HELP )))

What do you mean by check this source IPs? What's the IP of the TMG and on which location is it? We need some more information to help you on this case.

From TMG (network 192.168.0.0) i do tracert to host in network 192.168.1.0 (Its problems)

 1    <1 мс    <1 мс    <1 мс  192.168.0.251 (Its  LOCAL GW FGT LAN IP)  2     *        *        *     destanation unreachble  (Its some time IP of another FGT Port !!!)  3     5 ms     2 ms     3 ms  192.168.1.1 (Its remote host)

Ftom TMG (network 192.168.0.0) i do tracert to network 192.168.2.0 (NO problems)

 1    <1 мс    <1 мс    <1 мс  192.168.0.251 (Its  LOCAL GW FGT LAN IP)  2    14 ms    14 ms    14 ms  192.168.2.252 (Its REMOTE GW FGT LAN IP)  3    15 ms    17 ms    15 ms  SPB-DC1 [192.168.2.1] (Its remote host)

All site to site tunnels same config. Only diffrence is used port's on FGT (port devindex ???)

Internet from 192.168.1.0 flow to main office TMG (proxy). Its slow, not working property (freezes) and e.t.c.. 

Internet from 192.168.2.0 flow to main office TMG (proxy). NO PROBLEMS, all fine! 

Hi Dizzy,

mybe a diagram of the network will help...

anyway some questions:

- which version of TMG and Windows S.O. ?

- how clients interact with TMG? transparent or explicit proxy, isa client ?

- and if it's isa client have you checked if it's a MTU problem

- can you ping from TMG the affacted clients ?

- there is any nat involved ?

- clients are hitting TMG from "internal" interface or another interface and if the latter how have you declater network rules

Regards,

Antonio

Hi, Antonio TNX for help!!!   mybe a diagram of the network will help... - I add it in attachment (n1.jpg)

anyway some questions: - which version of TMG and Windows S.O. ? - Win2008R2 TMG 2010 latest CU - how clients interact with TMG? transparent or explicit proxy, isa client ? - just proxу, no ISA client - and if it's isa client have you checked if it's a MTU problem - no ISA client ))) - can you ping from TMG the affacted clients ? - yes! - there is any nat involved ? - nat only on TMG . In FGT rules NAT disabled  - clients are hitting TMG from "internal" interface or another interface and if the latter how have you declater network rules - proxy on TMG on LAN interface, no special rules - Any from LAN to Internet via proxy.

P.S Problems with "internet via proxy on TMG" we have only on side 2 (on sheme). On side 3 we have no problems.

All configs in tunnels and rules on FGT same for all sides. We re-check all ((( We think its problems with DEVINDEX of ports on FGT. Problem side have more used ports (with IP) and FGT use it  I think. We also have same problems in few other sides of network where we use FGT IPSEC. And have sides without problems.

I don't know how to fix problems ...

P.P.S.

tracert from problem side (client PC 192.168.1.62) to proxy srv

1    <1 мс    <1 мс    <1 мс  192.168.1.254 - (FGT LAN port on problem side 192.168.1.0/24) 2     5 ms     3 ms     2 ms  X.X.X.X - (FGT WAN IP here)  3     3 ms     5 ms     5 ms  gatecore [192.168.0.10] - (TMG 2010 Srv)

tracert from proxy srv to client PC on problem side

1    <1 мс    <1 мс    <1 мс  192.168.0.251 (FGT LAN port in 192.168.0.0/24) 2     *        *        *     Timed out request 

3     3 ms     5 ms     3 ms  TSK-PER9-PS-WS3 [192.168.1.62] - client PC on problem side

Dizzy_Read wrote:

anyway some questions:

- which version of TMG and Windows S.O. ? - Win2008R2 TMG 2010 latest CU

umm W2k8R2 has a wierd PDMTU behaviour..

what MTU do you have on site 2 line..without other encaps (PPPoE f.e. ) if IIRC des+md5+pad you should have 1446

you can chack using this handy tool

[link]https://www.elifulkerson.com/projects/mturoute.php[/link]

Dizzy_Read wrote:
- clients are hitting TMG from "internal" interface or another interface and if the latter how have you declater network rules - proxy on TMG on LAN interface, no special rules - Any from LAN to Internet via proxy.

so the site 2 network has been add to TMG internal nets , static route in place and TMG as two legs deploy..

Dizzy_Read wrote:

P.S Problems with "internet via proxy on TMG" we have only on side 2 (on sheme). On side 3 we have no problems.

All configs in tunnels and rules on FGT same for all sides. We re-check all ((( We think its problems with DEVINDEX

what do you mean with "DEVINDEX" problem ?

from Your diagram I see a unique lan port (port20) so if Your confing does not has wrong routes o PBR rules I cannot see any problem to route multiple tunnels through lan port..

Based on what I see from the diagram at first glance I would hypothesize a MTU problem, but a good idea would also be to do a packet capture or at least a diag debug flow..

For missing hops on traceroute Bonni's response it's absolutely correct.

Regards,

Antonio