Helpful ReplyHot!VPN between 2 Fortigates 60E loosing ping packets

Author
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
2019/10/08 09:37:19 (permalink)
0

VPN between 2 Fortigates 60E loosing ping packets

Hi all,
 
Checked other forum threads, but found only one mention here https://forum.fortinet.com/tm.aspx?m=142160 and it is not answered.
Basically we have just purchased a pair of Fortigate 60E firewalls that we would like to use for site-to-site IPSec VPN.
So I set them up sitting next to each other connected via a patch cable. 
I used VPN Wizard, everything seems to have started working ok, however.
 
I am using a cisco switch as a client on one side and a mac laptop on the other. I run continuous ping from Mac to the switch and it appears to be working fine, no timeouts or lost packets. Same thing done from switch side towards Mac looks similarly ok, however if I run a ping with say 10000 repetitions, that shows issues:
 
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 172.11.11.99, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!..!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 
Clearly, some packets get dropped... but why ? No errors in logs....
 
Any help is appreciated...
#1
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 02:38:39 (permalink)
0
Quick addition... It appears that the drop event happens after every 250 pings.... is there some sort of protection against constant pings sent in a short time span?
#2
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 02:47:20 (permalink)
0
Should not be but what else might be happening at 250 pings? Does the issues with large and sml pkts? Can you place a ipv4 address on both FGT vpn-interfaces, does the same issue happen if pings are FGT-2-FGT?
 
What is the PMTU?  ( should be 1438bytes or less typically  ) 
 
 
Ken Felix
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#3
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 02:51:17 (permalink)
0
Just wondering if this is anything to do with this (https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/DoS%20Protection.htm):
icmp_floodIf the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.250 packets per second.
#4
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 02:54:09 (permalink)
0
Thanks, but what about this "feature" ?
 
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/DoS%20Protection.htm
icmp_floodIf the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.250 packets per second.
To me this looks quite relevant.
 
I am actually using Cisco switch as a client and it seems to be able to send very many icmp packets per second... and interestingly, according the ping output the issue happens after every 250 responses...
 
#5
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 03:04:41 (permalink) ☄ Helpfulby lcmuser 2019/10/09 03:19:46
0
Okay so do or did you implement DoS protection. A simple ping is not a DoS by itself
 
I would 1st start by reviewing  your firewall and see what you applied at the policy and dos-policy level
 
 
config firewall  DoS-policy 
   show full-configuration 
 
And if you have a rule  than look at the icmp-information
 
config firewall DoS-policy
    edit 1
        config anomaly
            edit "icmp_flood" <---
                set threshold 250
            next
            edit "icmp_sweep" <---
                set threshold 100
            next
            edit "icmp_src_session" <---
                set threshold 300
            next
            edit "icmp_dst_session" <---
                set threshold 1000
            next
 
 
Ken Felix
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#6
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 03:21:26 (permalink)
0
Thanks. Let me check. The thing is - both devices are just out of the box, i have only setup VPN, no other bits apart from the hostname, IP addresses and other basic settings. i'll report on the findings...
#7
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/09 04:16:17 (permalink)
0
there seem to be no DoS policy:
VPN01 # config firewall DoS-policy

VPN01 (DoS-policy) # show full-configuration
config firewall DoS-policy
end

VPN01 (DoS-policy) #

I suspect that device has one embedded that probably cannot be changed ?
#8
lcmuser
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/08 09:25:20
  • Status: offline
Re: VPN between 2 Fortigates 60E loosing ping packets 2019/10/18 04:43:43 (permalink)
0
In the end this was all due to the Mac laptop's firewall and nothing to do with Fortigates.
#9
Jump to:
© 2019 APG vNext Commercial Version 5.5