Problem going throught two ipsec tunnels
I have this configuration:
IPSEC1-forticlient ipsec tunnel
IPSEC2-site to site permament tunnel
I use forticlient on Windows 10. When I connect with forticlient I can ping hosts in DC1, but not in DC2. IPSEC2 is a static tunnel site to site.
So the packets should go via first forticlient tunnel to DC1, then throught IPSEC2 to DC2.
I can ping from PC to hosts in DC1.
I can ping from DC1 hosts to DC2 hosts.
When pinging from forticlientPC -> DC2 I have this debug output at Fortigate 300D in DC1:
id=20085 trace_id=477 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-09a8ce00, original direction"
id=20085 trace_id=477 func=npu_handle_session44 line=1096 msg="Trying to offloading session from forticlient_26 to IPSEC2, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03000000"
id=20085 trace_id=477 func=ipsecdev_hard_start_xmit line=640 msg="enter IPsec interface-IPSEC2"
id=20085 trace_id=477 func=ipsec_common_output4 line=804 msg="SA is not ready yet, drop"
"SA is not ready yet, drop". I googled it and found suggestion that it means that tunnel is not ready. But both tunnels are up and running!
To add to confusion - after restarting fortigate 300D in DC1 it started to working for some time, and then stopped some time later...
Can you point me to some direction? I'm confused by this behaviour.
I use fortigate 300D, with firmware 5.6.11 (latest from 5.x).