Hot!Remote VPN user cannot access Router to Router VPN Servers

Author
ddemland
New Member
  • Total Posts : 18
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/08/21 10:11:44
  • Status: offline
2018/12/06 09:48:06 (permalink)
0

Remote VPN user cannot access Router to Router VPN Servers

 
I am running 5.6.6 on a Fortigate 60D, I have a remote VPN client that connects to the local Fortigate and the local Fortigate already a router to router connection with our hosted network. The VPN client when trying to reach a host on the router to router connection gets the following trace:
 
id=20085 trace_id=931 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=356."
id=20085 trace_id=931 func=init_ip_session_common line=5454 msg="allocate a new session-0028d989"
id=20085 trace_id=931 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb"
id=20085 trace_id=931 func=fw_forward_handler line=737 msg="Allowed by Policy-8:"
id=20085 trace_id=931 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
id=20085 trace_id=931 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
id=20085 trace_id=932 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=357."
id=20085 trace_id=932 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction"
id=20085 trace_id=932 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
id=20085 trace_id=932 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
id=20085 trace_id=932 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
id=20085 trace_id=933 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=358."
id=20085 trace_id=933 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction"
id=20085 trace_id=933 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
id=20085 trace_id=933 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
id=20085 trace_id=933 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
id=20085 trace_id=934 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.102:1->10.40.108.12:2048) from SparkVPN_2. type=8, code=0, id=1, seq=359."
id=20085 trace_id=934 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-0028d989, original direction"
id=20085 trace_id=934 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_2 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
id=20085 trace_id=934 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
id=20085 trace_id=934 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
I have no idea how to handle this. The “SA not ready” message does not make sense to me since this tunnel is up all the time. What am I missing to allow the remove VPN using to access the remote systems?
 
Thank You,
 
David Demland
#1

6 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1259
    • Scores: 89
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Remote VPN user cannot access Router to Router VPN Servers 2018/12/06 14:10:28 (permalink)
    0
    Do your phase2 network selectors include this source IP 10.77.250.102?
    #2
    ddemland
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/21 10:11:44
    • Status: offline
    Re: Remote VPN user cannot access Router to Router VPN Servers 2018/12/06 16:21:56 (permalink)
    0
    Yes I have the following:
     
    10.77.250.0/255.255.255.0      10.40.108.0/255.255.255.0
     
    I also a a couple of other networks in the selectors, but they are for internal users not remote VPN users.
     
    David
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1259
    • Scores: 89
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Remote VPN user cannot access Router to Router VPN Servers 2018/12/06 16:33:52 (permalink)
    0
    Then you have to start debugging with 1) sniffer to see how far it can get to, then 2) flow debugging to see why it's dropped. Make sure you disable asic offloading on the policies for debugging.
    #4
    ddemland
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/21 10:11:44
    • Status: offline
    Re: Remote VPN user cannot access Router to Router VPN Servers 2018/12/06 18:42:51 (permalink)
    0
    I have done this. The sniff shows:
     
    SparkRouter # diagnose sniffer packet SherWeb 'host 10.40.108.12 and host 10.77.250.101' 4 500
    interfaces=[SherWeb]
    filters=[host 10.40.108.12 and host 10.77.250.101]
    pcap_lookupnet: SherWeb: no IPv4 address assigned
    4.211977 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request
    9.051125 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request
    14.044818 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request
    19.052117 SherWeb -- 10.77.250.101 -> 10.40.108.12: icmp: echo request


    And the flow still shows:
     
    SparkRouter # id=20085 trace_id=959 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=269."
    id=20085 trace_id=959 func=init_ip_session_common line=5454 msg="allocate a new session-002bddf8"
    id=20085 trace_id=959 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-10.40.108.12 via SherWeb"
    id=20085 trace_id=959 func=fw_forward_handler line=737 msg="Allowed by Policy-8:"
    id=20085 trace_id=959 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
    id=20085 trace_id=959 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
    id=20085 trace_id=960 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=270."
    id=20085 trace_id=960 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction"
    id=20085 trace_id=960 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
    id=20085 trace_id=960 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
    id=20085 trace_id=960 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
    id=20085 trace_id=961 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=271."
    id=20085 trace_id=961 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction"
    id=20085 trace_id=961 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
    id=20085 trace_id=961 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
    id=20085 trace_id=961 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"
    id=20085 trace_id=962 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 10.77.250.101:1->10.40.108.12:2048) from SparkVPN_1. type=8, code=0, id=1, seq=272."
    id=20085 trace_id=962 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-002bddf8, original direction"
    id=20085 trace_id=962 func=npu_handle_session44 line=917 msg="Trying to offloading session from SparkVPN_1 to SherWeb, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
    id=20085 trace_id=962 func=ipsecdev_hard_start_xmit line=583 msg="enter IPsec interface-SherWeb"
    id=20085 trace_id=962 func=ipsec_common_output4 line=803 msg="SA is not ready yet, drop"


    Which still leaves me with the question: what does "SA is not ready yet, drop" means and is this the reason the return echo reply is not coming back?
     
    Thank You,
     
    David
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1259
    • Scores: 89
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Remote VPN user cannot access Router to Router VPN Servers 2018/12/07 09:15:06 (permalink)
    0
    The ping requests are not going into the tunnel yet. The "not ready yet" regularly showed when the first packet tries to reach the other end. And it might fail but it would trigger bringing the SA up then subsequent packets would be able to use the SA like in below example at KB for a different topic.
      https://kb.fortinet.com/k....do?externalID=FD31403
    I suspect asic offload is somehow failing. If it's successful, the rest of trace shouldn't show up. As I mentioned disable auto-asic-offload on the set of policies as well as the tunnel config for the site-to-site vpn to see if that's the issue.
    At another post someone mentioned about an off-load problem with 5.6.6 as well. The set-up was completely different though including policy-routes.
     
    #6
    ddemland
    New Member
    • Total Posts : 18
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/08/21 10:11:44
    • Status: offline
    Re: Remote VPN user cannot access Router to Router VPN Servers 2018/12/10 12:12:24 (permalink)
    0
    The actual problem was that my hosting company did not set the selectors on their side. Once they got that fixed the access started to work without a problem. Thank you for your help.
     
    David
    #7
    Jump to:
    © 2018 APG vNext Commercial Version 5.5