[SOLVED] Packets for port 5038 go through S2S tunnel but don't get routed localy

leviu · ‎07-10-2018

Model number: 100D (x2 in HA cluster)

Firmware: v5.2.9,build736

Issue:

We have a site to site IPSec tunnel to our customer created using the the wizard and a "Site to Site - Fortigate" template (the other end is a Fortigate 90d running v5.4.1,build1064).

The customer site has two networks:

10.14.48.0/24 - for computers

10.14.50.0/24 - for VOIP phones

Our end:

vlan internal network (number 12) with a PBX server

There are rules in place for VOIP traffic and the SIP helper is disabled on the 100D (system wide) - VOIP works fine over the tunnel to the PBX server on vlan12. Now I have configured rules on both ends so that the computer network is able to talk to the PBX server on vlan12 using the TCP port 5038.

My issue is that the traffic exits the customer Fortigate (comes in on the internal network and goes out the tunnel interface) and arrives at our Fortigate on the tunnel interface, however it does NOT get forwarded to the vlan12 interface where the PBX server is located. Again, the VOIP traffic from the phone network DOES get forwarded to the vlan12 interface.

I have attached a screenshot from the UI showing the problematic policy I have and an example of the exact same working policy with different ports .

Here (since I can't attach more than one image) are all the screenshots with an example of a working policy and the problematic policy, where the difference is only the ports (services) There are also screenshots of packet capture from the customer Fortigate and our Fortigate showing the traffic flow.

Any help would be appreciated.

~levi

rohitbhas_22 · ‎07-10-2018

Hi Levi,

is it possible for you to run 'debug policy' at your end firewall (to check the flow of traffic from customer)

you can filter it with src & dst ip address / port

for the voip traffic to pbx server (your site), i would recommend you to check the routing (reachability )

leviu · ‎07-11-2018

Thanks for the reply.

Are you referring to the 'diagnose debug flow' set of commands?

There is nothing to text for the VOIP traffic - that works fine. Sorry if I explained poorly - i wrote the post at the end of a long work day ^_^.

~levi

rwpatterson · ‎07-11-2018

Show the CLI output of the custom VoIP service on the remote FGT.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

leviu · ‎07-11-2018

This is the customer site service:

and this from our fortigate :

Thanks for the reply!

leviu · ‎07-12-2018

rohitbhas.22 wrote:
Hi Levi,

is it possible for you to run 'debug policy' at your end firewall (to check the flow of traffic from customer)
you can filter it with src & dst ip address / port

for the voip traffic to pbx server (your site), i would recommend you to check the routing (reachability )

I've run the debug and here is the output:

Not sure what "policy 0" is. Sounds like it is simply denied due to lack of an allow policy 0.o

Same thing happens for the HTTP traffic!

Another major point that yesterday we just upgraded the 100D Forti by us to 5.6.5!

Here is the new policy screenshot. No idea why there is a "Proxy" option now. Maybe its bundled with the VOIP one...

~levi

leviu · ‎07-16-2018

I solved the issue : the source object (computer-network) was set with /32 and not /24 network........