Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jmarin3210
New Contributor

Created on ‎07-13-2021 01:49 PM

Cannot connect between pfsense and forti

Hi, im trying to connect a pfsense and fortigate over IPsec, the tunnel is up but from my network only accepts first ping and a after that all communication fails, and a few minutes later same situation, first ping goes well but fails after that.

Here is how the logs looks when first ping is successful,

id=20085 trace_id=21 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 192.168.100.25:25564->192.168.7.10:2048) from servers_vlan. type=8, code=0, id=25564, seq=1."
id=20085 trace_id=21 func=init_ip_session_common line=5814 msg="allocate a new session-00950e96"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.7.10 via ipsec_vpn"
id=20085 trace_id=21 func=fw_forward_handler line=777 msg="Allowed by Policy-35:"
id=20085 trace_id=21 func=ipsecdev_hard_start_xmit line=788 msg="enter IPsec interface-ipsec_vpn"
id=20085 trace_id=21 func=esp_output4 line=927 msg="IPsec encrypt/auth"
id=20085 trace_id=21 func=ipsec_output_finish line=618 msg="send to GATEWAY_WAN via intf-wan1"
id=20085 trace_id=22 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 192.168.7.10:25564->192.168.100.25:0) from ipsec_vpn. type=0, code=0, id=25564, seq=1."
id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5724 msg="Find an existing session, id-00950e96, reply direction"
id=20085 trace_id=22 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.100.25 via servers_vlan"
id=20085 trace_id=22 func=npu_handle_session44 line=1164 msg="Trying to offloading session from ipsec_vpn to servers_vlan, skb.npu_flag=00000000 ses.state=00010200 ses.npu_state=0x03000000"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=399 msg="state=00010200, state2=00000000, npu_state=03000000"
id=20085 trace_id=23 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 192.168.100.25:25564->192.168.7.10:2048) from servers_vlan. type=8, code=0, id=25564, seq=2."
id=20085 trace_id=23 func=resolve_ip_tuple_fast line=5724 msg="Find an existing session, id-00950e96, original direction"
id=20085 trace_id=23 func=npu_handle_session44 line=1164 msg="Trying to offloading session from servers_vlan to ipsec_vpn, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03000000"
id=20085 trace_id=23 func=ip_session_install_npu_session line=343 msg="npu session installation succeeded"
id=20085 trace_id=23 func=fw_forward_dirty_handler line=399 msg="state=00010200, state2=00000000, npu_state=03000400"
id=20085 trace_id=23 func=ipsecdev_hard_start_xmit line=788 msg="enter IPsec interface-ipsec_vpn"
id=20085 trace_id=23 func=esp_output4 line=927 msg="IPsec encrypt/auth"
id=20085 trace_id=23 func=ipsec_output_finish line=618 msg="send to GATEWAY_WAN via intf-wan1"

 

And my policies are same only switch source to destination in the other one

And my static route is

Destination:  Subnet

192.168.7.0/255.255.255.0

Interface: ipsec_pfsense

Administrative Distance: 10

 

What Im doing wrong or there is some config missing?

Preview file
72 KB
1634
0 Kudos
1 REPLY 1
mle2802
Staff
Staff

Created on ‎09-25-2023 11:55 AM

Hi @jmarin3210,

Can you collect the debug flow when the ping is dropped? Also, can you please also execute sniffer at the same time ( diag sniffer packet any "host 192.168.7.10 and icmp" 4 0 l ).

Regards,
Minh

336
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.