Hot!FortiGate

Author
ITC Techs
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/04 10:49:36
  • Status: offline
2020/03/04 10:53:26 (permalink) 6.2
0

FortiGate

We have an IPsec VPN between FortiGate 60E and SonicWall NSA 2600. The VPN is up and active but no traffic is passing across it.
#1

12 Replies Related Threads

    Dave Hall
    Expert Member
    • Total Posts : 1641
    • Scores: 174
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: FortiGate 2020/03/04 11:46:08 (permalink)
    0
    Is there a route showing up for the tunnel?

    NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
    #2
    ITC Techs
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/04 10:49:36
    • Status: offline
    Re: FortiGate 2020/03/04 11:49:28 (permalink)
    0
    There is. There is also a policy to allow inbound and outbound traffic
    #3
    sw2090
    Platinum Member
    • Total Posts : 551
    • Scores: 39
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: FortiGate 2020/03/04 23:47:49 (permalink)
    0
    are you sure the tunnel is up completely? Green in FGT Ipsec Monitor only means that phase1 has come up.
    diag vpn tunnel list on cli will show you if is completely up.
    If it shows phase2 name somewhere and a "sa=1" behind it it is up.
     
    ALso could be something with ike. Look at my "strange ipsec vpn behavior " thread below for further details.
    #4
    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGate 2020/03/05 03:02:28 (permalink)
    0
    the "diag debug flow" is your proper way to test this. It will show you if traffic is one matching the policy enforcing the route-base tunnel interface it will show if the traffic is being encrypted
     
    On both sides NSA  and FGT you need policies and routes to be correct and matched.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #5
    ITC Techs
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/04 10:49:36
    • Status: offline
    Re: FortiGate 2020/03/05 05:50:57 (permalink)
    0
    Yes, phase 1 and 2 are up. Already verified that beforehand and verified again
    #6
    ITC Techs
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/04 10:49:36
    • Status: offline
    Re: FortiGate 2020/03/05 05:53:36 (permalink)
    0
    Policies and routes have been verified. We have another FGT101 with a VPN tunnel to the same NSA and all settings match just no traffic passing to/from FGT60E.
     
    #7
    rwpatterson
    Expert Member
    • Total Posts : 8466
    • Scores: 201
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: FortiGate 2020/03/05 06:06:51 (permalink)
    0
    On the cheap, where does a traceroute take your traffic?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #8
    emnoc
    Expert Member
    • Total Posts : 5546
    • Scores: 357
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGate 2020/03/05 08:52:02 (permalink)
    0
    Did you at least do "diag debug flow" ? It will tell you  everything that is wrong or what's happening.
     
    You have to help us in order to help you.
     
     
    Also  patterson mention traceroute earlier. I would also add "diag sniffer packet" and select the tunnel interface name that you use in phase1 and witness the traceroute enter/exit the tunnel
     
    That would confirm traffic in the tunnel assuming a route-based and you run traceroutes from A and Z sides.
     
    http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #9
    ITC Techs
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/04 10:49:36
    • Status: offline
    Re: FortiGate 2020/03/05 13:32:18 (permalink)
    0
    Traceroute never gets out. All hops time out. Route is set up with destination network and VPN interface selected.
    #10
    ITC Techs
    New Member
    • Total Posts : 6
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/04 10:49:36
    • Status: offline
    Re: FortiGate 2020/03/05 13:57:47 (permalink)
    0
    Attached is exerpt of diag sniffer packet on VPN tunnel interface. VPN is policy-based
    #11
    isamt
    New Member
    • Total Posts : 20
    • Scores: 2
    • Reward points: 0
    • Joined: 2017/12/29 01:52:35
    • Status: offline
    Re: FortiGate 2020/03/06 09:42:13 (permalink)
    0
    Run a debug to identify if any issues with the config
     
     
    diagnose debug disable
    diagnose vpn ike log-filter clear
    diagnose vpn ike log-filter dst-addr4 n.n.n.n
    diagnose debug app ike 255
    diagnose debug enable
     
    where n.n.n.n is the Public IP address of you SonicWall Firewall
     
    to end:
    diagnose debug disable
    diagnose debug reset
     
    #12
    rwpatterson
    Expert Member
    • Total Posts : 8466
    • Scores: 201
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: FortiGate 2020/03/06 09:49:15 (permalink)
    0
    What does your routing table look like?
     
    Fortigate # diagnose ip route list
     
    Blank out any unimportant routes to this thread that you may not want made public.
    post edited by rwpatterson - 2020/03/06 09:55:37

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #13
    Jump to:
    © 2020 APG vNext Commercial Version 5.5