Specific traffic appears to enter IPsec tunnel but not exit!?
On an ipsec interface tunnel between FGT-A and FGT-B, I see specific traffic (Server SYN) enter the ipsec interface at A but cannot see it exit at B (using diagnose sniffer packet and diagnose debug flow at each end).
The configuration and functionality is not new and is duplicated widely across our system; I see the problem only on one instance.
- The ipsec tunnel also carries OSPF and all necessary routes are visible;
- The ipsec tunnel carries all traffic to and from FGT-B;
- The Client also establishes a session in the reverse direction, this is successful.
- I see no other functionality impacted on the tunnel
- I have checked firewall address and policy configurations
- I have used diagnose debug flow to try to see the traffic arriving at FGT-B with no result
- The client also connects to the server on the same port using a reverse rule; this is working fine.
- On the incoming policy at FGT-B I set auto-asic-offload disable to try to see more traffic
- FGT-B was recently power cycled for other reasons which did not alter the behaviour.
- Both FGT-A and FGT-B are a-p clusters of FGT60E running 5.4.4
- At FGT-A I cleared the existing firewall policy session; a new session was created on the next packet as expected.
- Note, the client is 1-1 nated behind FGT-B using both vip and ippool but (a) that solution works and (b) traffic hasn't even arrived the the external interface yet.
I am seeking suggestions to fault find this. I am familiar with di de sni pac and di de flow, and routes are present. Routing looks OK, the policies look OK, the firewall address subnets look OK. I'm a bit baffled.
PS. I posted this under VPN because the issue appears to be traffic entered a tunnel but didn't come out. I appreciate the apparent stupidity of that remark and to quote some small people I know "It can't be no-where".