- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Unable to Ping fortigate across ipsec tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to Ping fortigate across ipsec tunnel
I have an IPSec tunnel established between two Fortigate 50e's. One is at our head office and the other at a branch site. The tunnel has been up for several weeks and traffic crosses the tunnel fine. Clients on one side are able to ping clients on the other network, or the firewall on the other side without issue.
I discovered that, from one of the firewalls, I can't ping the firewall on the other side. In fact I can't ping any device on the other network. Clients on either side can ping the other side without issue.
I'm thinking this has to be a routing issue. However I would think that the route that successfully moves traffic from the local network across to VPN tunnel to the other side would apply to the fortigate itself as well as devices on the connected networks.
ANy suggestions?
Thanks everyone!
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's about the source IP when you ping from the FGT and if your setting (phase2-selectors, routes, policies) on both sides is proper to allow the ping request and reply packets for both directions.
By default ping packets from an FGT over a VPN picks up the VPN interface IP you configured. If you're not sure what you configured, check it with CLI below:
# show system interface "PHASE1_NAME"
config system interface
edit "PHASE1_NAME"
set vdom "root" set ip X.X.X.X 255.255.255.255 set allowaccess ping https ssh snmp set type tunnel set remote-ip Y.Y.Y.Y 255.255.255.255 set snmp-index ZZ set interface "INTERFACE_NAME" next end
The source IP for your pinging is X.X.X.X. You need to set the tunnel environment properly to let it go/come through the tunnel.
Alternatively, you can always specify the ping source IP with:
# execute ping-options source "LAN_INTERFACE_IP"
So that you can ping from the user subnet, which is working.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So currently the IP is showing as 0.0.0.0 255.255.255.255.
Do I change that to the IP address of the lan interface (192.168.60.1)?
If I make that change, will that affect all communication from the fortigate across the tunnel?
The reason this comes up is because I'm trying to get the DNS service running on the branch office to slave to the active directory dns server at the head office. It appears that the fortigate at the remote office can't reach the dns server on the head office network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do that kind of change in a maintenance window. Because remote-IP changes on the other end. You need to change the set; local IP and remote-IP on both ends at the same time.
For a best practice, don't use any IP in existing subnets. Pick a /30 subnet in RFC 1918 range, which doesn't exist on either side. Let's say 10.10.10.0/30. Then assign 10.10.10.1 on one end and 10.10.10.2 on the other end. When you configure it on the tunnel interface, as you saw already, subnet mast is supposed to be 255.255.255.255. Then you need to adjust those IPsec environment to allow it to reach the destination (DNS server) subnet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is it not possible to just allow the remote fortigate to communicate across the existing tunnel to the local network?
The tunnel already passes traffic for all ip's on both networks, except from the fortigate's themselves.
The method you specify above seems unnecessarily complex. I'm sure that there are other fortigate users out there that have branch offices that need to lookup to the main office active directory dns. Do they all have to use the method that you outline above?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you don't configure a tunnel IP, I'm not sure what IP address the DNS request packet picks up as the source. Have you try sniffing what the source IP in those packet? There might be a way to specify the source IP manually for the DNS request. But I don't know it.
This way is the base of interface mode/route-base IPsec tunnel set up, including any L3 routers not only FWs. I agree that there is a way to do it even with a policy-based IPsec. You can wait other members inputs, or open a ticket with TAC to ask.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like the fortigate that is running the dns server is forwarding the dns query out the wan interface, instead of across the tunnel. I have the dns server on the fortigate configured to slave the dns for the ad domain to the ip of the dns server at the head office.
It's almost as though the dns server on the fortigate is not attempting to reach the dns server specified in the config, but is using the dns settings from the fortigate it's self.
Or perhaps since the fortigate doesn't know that the IP for the master is across the tunnel so is using the default route? The destination for the dns query is a root server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm wondering if you really configured an interface-mode IPSec, and you actually have a route in the routing table for the AD server's subnet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question I ask myself here is which IP soes the FGT itself use when it tries to ping the opposite FGT?
The Tunnel Interface itself does not have an IP.
So when pase2 id is set to 0.0.0.0/255.255.255.255 all traffic that matches policies will be allowed but what happens to traffic coming form the FGT itself?
is that using the loopback interface 127.0.0.1 or something like that? That would then explain it as that don't match any policy...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both networks can reach each other just fine. I already have clients at the remote office using drive mappings on the file servers at the main office. I am also able to RDP into clients on the remote office network from the head office.
The problem is that everything has to be done with IP's. Without AD DNS, I'm going to have problems if I start deploying AD windows desktops at the remote offices.
I'm using this document as a reference setting this up.
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/960561/fortigate-dns-server Also, I have the AD DNS server configured to allow zone transfers.
I have a fortigate 60e on the head office network and it's working fine looking up the the AD dns server using this config. I just can't get the branch office working and it appears to be that the FGT at the branch office can't reach the main office network.
Perhaps I need to create a static route or a policy route for the FGT ip to the tunnel?
It is a good question about what IP the FGT uses when it tries to do the DNS lookup. I would assume it would use the IP on the lan network, but as I think of it, the system DNS lookup goes to the wan dns server. However this is the same config on the FGT on the head office network and it looks up without issue. But then the IP it is looking up to is a locally attached network.
In any case, you can't ping any of the branch offices FGT from the main office FGT. Devices within each of the networks can reach each other, it's just the gateways that can't reach each other across the tunnel.
Related Posts
Labels
-
FortiGate
6,458 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.