IPSec tunnel is up but no traffic and how to troubleshoot.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
uh hello everyone uh it's me again so in the previous video uh i share with you how to troubleshoot the vpn connection when installed so actually there's many reasons why the vpn is style so by using the technic and command the troubleshooting command i provided in the video you better have better understanding how to troubleshoot the vpn when it's down now in this video i will show you how to troubleshoot even when the vpn is up but no traffic right so i have to say i have the uh similar setup with the the lattice video i have the valve straddle and fortigate in the in the last video i had the vpn setup the tunnel was up and the management desktop able to reach the authenticator machine using the web gui now i have a requirement to let the management desktop able to reach the web server on a different subnet or actually on different interface in the 4d gate so to do that i create another phase two other for the gate side but the second phase two uh head is the uh the same remote subnet which is the management desktop here one seven two twenty thirty one dot zero but the logo is different logo uh is 10 10 100 and zero which is this subnet and on the violet side uh i have another phase two or ib of ipsec setup which is the same logo but different remote the remote now is the 10 100 0. so again for the phase 2 or ipsec we have the uh local remote subnet and for the other side is reverse order recall local and remote right now we're going to verify the configuration uh between uh two router for the vpn right so in here violence one i'm going to show um config config command vpn so in this uh setup i uh just create another face tool here okay the local and remote the logo is the same same logo here but different remote which is another tunnel and then show vpn ipsec status so we can see you have two active tunnel it's running to the same interface and if we go to status state we have multiple uh phaser actually it's over overlap but it's telling us that we have the tunnel is up okay now on the 40 gate all right on the faulty gate i have the uh if you see here uh hoover's mouse you can see okay let me bring up here we have the phase two tunnel violence and fires two which is the second the not two uh tunnel uh on the fortigate side and this one up so we go deeper here at it so we can see under phase two i have two tunnel right the first one and the second one minus two right and at the moment the tunnel is uh is up okay now when fontana is up i'm going to try to think uh to reach the web server i think 10.10.100.20 right it's not reachable so now we troubleshoot it so actually when uh when you're troubleshooting the vpn uh you need to see how the vpn is set up so so by looking into the configuration you may you may tell why the vpn is it's not a lot of traffic going through um but in this one i will focus on troubleshooting so in case you have a very large setup which has a hundred of tunnel and and sometimes we have a lot more and a lot of conflict that you you're not a person who set up the system so verify the configuration may take some time but running the sync command may give you some idea right but at least you need to understand how the vpn is set up and how the traffic is reaching the other end of the network now let's start with bing right we can say the thing is storage cable now we can from the from the diode side i don't see the much i'll show things troubleshooting command that can give you more idea but at least from here you can run the commands so ip route so you can see the the other subnet 10 100 is actually going through the internet zero and it's k is the kernel route and it's similar to uh the submits that are already working so in terms of routing it should it should be okay this one automatically updated when you create another uh face2 tunnel so this one is in here already uh established these are not already set up so like is this internal work and this one doesn't work so you can tell the routing is good so i can try again with that thing make sure that the first tunnel is working 192.168.11. 26. so this one is reaching right so in terms of routing this one looks good now go to 40 gate right so on the 48 side i'm going to see whether the traffic from the virus reaching for the gate so direct sniffer packet any icmp and horse the web server 10. 100 right and now we're back going back to the wires and ping it right it's not responding that is the faulty gate no it's not reaching so it's not reaching the 40k for some reason right so that's a good time to actually troubleshoot this one it's not the same traffic that we want to want to see okay so by looking into this one we can tell the traffic from the bios is not enter the tunnel yet maybe it's not going to the right tunnel or is is not leaving the bios i'm going to check the virus rather all right so the wireless router when the tunnel is set up remember we need to uh exclude the uh the nut option for the new subnet so if we uh show uh config command grab grab net so we can see here this we need to exclude um the first channel subnet now with the second tunnel submit i haven't excluded right going to have the route 110 for example config all right set narrow 110 destination 10. 10 100 0 slash 24 an address sorry and then exclude and then our power interface uh ethernet zero commit all right now print again okay it's still noticeable i'm going to follow it now at least we can see the the forget now receiving um on the tunnel uh here we can see uh this ip enriching this one it just request request request right so you can see so at least we can tell the traffic to reaching the faulty gate but for some reason uh the photograph drops it right now to drops this one we're going to uh run the stiffer here we're going to run the debug flow to see why the why the 40 gate drops it like debug flow filter protocol one which is icmp filter address 10.10.100.20 flow function show function you know and activa flow trace start maybe just uh 10 is within 20 okay all right so when you uh when you stop that all right so when the truck seeing traffic here uh make sure we uh look at the right traffic so we can see let's trace number one okay here so this is the remote virus and it's try to reach the uh web server on blink traffic and you can see uh it it file route to port 4 which is good but denied by forward policy check and switching policy 0. the policy is 0 is the implicit deny so the looks like that the traffic doesn't match any policy or there's no policy for it right so we need to check why there's no policy so in here we go to the firewall object and we look for anything come from bios so we can look for the wireless one like us right so you can see the virus to port five and port five to five there's no port for right the traffic on actually on port four uh if we go back interface here the 1010 100 network is in the portfolio and there's no policy for it so we're going to need the policy the firewall policy here so create new policy and this one is from vios to port four incoming we're going to bios which is the vpn virus going to port four and for now we just put everything uh you can limit to uh ios subnet but for this test purpose we just put everything and service any instead of we put the specific service social serving open everything proceed base no net just like that policy enable logging session hit ok all right so after we have this one now go back to royals now we can see it reached now it's still responding right so uh now go to 40 get now uniformly get uh like sniffer packet any scmpn horse 10.100.20 which is the web server now you can see the traffic and you stop it traffic is hitting the bios interface and leaving the portfolio to the web server and the web server respond to the wireless network right so by running the sniffer and then debug flow we can tell why traffic drop in this case okay so we have another scenario like no route for example and there's many other reasons why traffic is get dropped okay so by using um you can consider the vpn like uh like like a virtual interface or virtual link so one is up then you can see the traffic going to the same principle and you can use the normal traffic uh chosen command like sniffer debug flow to to pinpoint where the issue is so i'm going to create another scenario and see why the traffic is not going through right okay now we um let's have a look at another scenario so um still the same setting we have the bios router and fortigate the tunnel established and the management desktop able to reach for the indicator and for the indicator can reach back to the management network now i want another subnet 10 100.00 which is the vm here uh the web server or linux web server so i'm trying to reach the manager network from this machine is a new one so i need to set up the 40 gear i already have the routing i don't have the policy that allow it so the routing should be good because of the ford gate already have route back to the management network but in terms of policy here i only have the policy from the port four uh and here is the um virus tunnel right so back into the folly gate so in the tunnel still up right yes standard is still up um going to the policy if i were policy i have the uh the wires to board for traffic here the one and for the reverse traffic i have the portfolio vials here okay so we have the traffic uh to have the firewall to allow traffic but now i'm trying to bing from the this one is the web server and try to at least i try to bring 10 which is the management desktop uh it's not responding and not one is the internal interface of device router so let's see how how the let's leave it running playing here and in the 40 gate let's see how it works uh how it responds so i'm going to open the 40 gate ssh okay so this is for the get dc one i already have the setup so from here uh going to root vdom so we have the policy which is already defined from the portfolio bios so i'm going to see how why should why the traffic is not able to reach from the web server back to management network so first thing under sniffer packet any um icmp and host 772.20.31.10 which is the desktop at the main management at the uh remote network management at the wells runner you can see here right so we can see the we can see here right so you can see the traffic hitting port for so with the imagine the web server coming to the portal and then it files out that's it in out files out so it it you try to send out the uh title interface but somehow it's not not getting any respawn okay so um we're going to run the debug flow and see why it's uh if it drops right so we're going to back debug flow show function name enable that workflow filter protocol one which is the xcmp that will flow filter address all right so we see all right so all right so we can we stop it now uh uh right so the 40k receiving some traffic but while you're getting dropped right you can see here okay let's make it a bit wider here okay now okay so we can see the traffic and ping right from here we can see the traffic uh the route um the function here is showing the route vdom receives a packet uh from the web server ip and to the measurement subnet or investment desktop from port 4 right and they got a session here and they try and upload lab lab lab and keep going here and see what's going on uh in the trace 21 trace 21 uh okay so you say in a trace 21 because of the routing and because of the firewall policy it enter the ipsec tunnel it enter the ipsec tunnel bios tunnel right but the next the next choice it tells no matching ipsec selector drop okay this one is very important from this line so when is when you see this one it means that the traffic doesn't match with ib selector in drop in in in phase two and get that drop so the way to see phase two okay uh show uh vpn uh ipsec uh phase two uh virus so we that's the only phase two we have and you see here um we have the uh the source subnet 192.168 the destination is one seven two twenty the destination is good because if we're sending to the the other uh wireless router so destination is good but the source look at the source here the source in the phase 2 selector is 192.168.11 network but the traffic that hit the firewall is 10 10 10 120 right so it doesn't match with this phase two it means that the tunnel only allows traffic between this subnet the source subnet on knight 2 and the destination submit this 172 so the source for the new bracket coming from 10 10 here it doesn't match it means that the tunnel is not for this subnet and it get dropped so in terms of security uh so we have we're gonna go back to here okay so from from the vm or from the web server to the folly gate um inside the phone gate here right so from the from the port four into the tunnel we need a policy so in that policy we can allow traffic we can limit to service like https or icmp or the source for subnet now we have another security level in the tunnel we only allow um the source and destination subnet solely right so at the moment uh the the port the tunnel between the 48 and the environment only allow two subnet this is the 172 20 31 and 192.168 so this is a new subnet so we cannot force the ford gate or for the tunnel to accept it so in order to accept that connection we need to create another uh tunnel uh and we have the pair of source and destination subnet which is the source is here 10 10 and destination is 172.20 and from this way we do another uh tunnel uh the setup which is allowed from source is one seven two twenty to the destination at ten ten hundred so by looking into the uh the uh debug flow you can tell that the traffic doesn't match with the phase two so even the phaser is up uh but it doesn't match so that's another scenario of uh tunnels up but traffic is not going to go through so the dike sniffer like debug flow will tell you exactly why the traffic is getting dropped sometimes you see the traffic leaving the photograph but to get drop at the bios which is different story but in here we can see straight away the foil drop it first right so all right so um i think that's that's all for now there's another scenario of course um but in this video i'm going i show a few scenario that the tunnel is up but the traffic is not passing it or no traffic going through it and some command to verify and troubleshooting this uh issue so hope you enjoy the video thank you for watching and see you in the next one
Info
Channel: FortiShare Now
Views: 2,214
Rating: undefined out of 5
Keywords: Fortinet
Id: ahJro3yEGNQ
Channel Id: undefined
Length: 22min 24sec (1344 seconds)
Published: Fri Apr 02 2021
Related Videos
Troubleshooting commands for Site to Site VPN (IKEV1) - Part 1
ASAme2
4.1K
Fortigate Firewall Troubleshooting : Become Expert in 30 minutes.
Technical_Scoop
48K
you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows)
NetworkChuck
3.2M
Redington & Fortinet-FortiGate IPsec VPN:Site-to-Site &Client-to-Site Webinar Session-1st April 2020
Redington Value Distribution
4.7K
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.6M
Setting up IPsec VPN between F5 LTM & ASA
MrTechnomantra
554
Cisco ASA & Fortigate - Route Based Site To Site VPN
William Shanaei
509
Site to Site VPN Microsoft Azure & FortiGate On-premises - Azure Site Recovery - Azure Migration V2.
ITProGuide
19K
Linux for Ethical Hackers (Kali Linux Tutorial)
freeCodeCamp.org
2.9M
Troubleshooting with Wireshark - Find Delays in TCP Conversations
Chris Greer
54K
Understanding AH vs ESP and ISKAKMP vs IPSec in VPN tunnels
Ryan Lindfield
273K
FortiGate to FortiGate IPSEC Configuration (FortiOS 6.4.0)
Fortinet Guru
26K
How to Assign FortiSwitch Ports to Different FortiGate VDOMs
FortiShare Now
257
NGFW Profile-based vs. Policy-Based and how to migrate in FortiGate 6.4
FortiShare Now
389
FortiGate 6.0: Understanding and Implementing Deep Packet Inspection
Connelly Ventures
31K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.