Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2152
Views
0
Helpful
3
Replies

Issues with IPsec Tunnel cisco asa vs fortigate

Luis Carranza
Level 1
Level 1

‎10-31-2018 09:12 AM - edited ‎02-21-2020 08:25 AM

Hi guys

 

I got a situation with an IPsec Tunnel and i don't know what else I need do, this is the situation:

 

I already configured a VPN Tunnel between my Cisco ASA and a Fortigate 100D everything is up (Phase 1 and Phase 2), this tunnel was created because we need to monitor 5 devices (couple of switches and a call manager) the devices that we already monitoring are the Switch Core (10.0.5.20) and the Call Manager (10.0.5.21) (the IPs are not the real ones is just for information) but we got problems trying to reach 3 Switches that are on a different network (10.0.1.x) 

 

When i send a ping from my server (172.26.5.80) to one of the devices let's say 10.0.1.5 I see that the packet reach the Cisco asa and send it through the Tunnel but on the Fortigate side they don't see anything they only see the request to the IPs 10.0.5.20 and .21

 

If I execute the ping backwards i mean from the 10.0.1.5 to my server 172.26.5.80 it doesn't respond until i execute a ping from my server to the switch looks like it's waiting to see the communication open on the Tunnel

 

About the configuration on both sides we already checked and everything looks good.

 

I hope all of you understand what i tried to explain.

 

Regards

0 Helpful
3 Replies 3

mkazam001
Level 3
Level 3

‎11-03-2018 02:05 PM

For verification on the ASA, you could run CLI packet tracer to confirm that the config is good:

packet tracer input inside icmp source-ip 8 0 dest-ip det

Regards,

Azam

0 Helpful

Luis Carranza
Level 1
Level 1

‎11-07-2018 08:52 AM

I think i found the issue, on the Fortinet side the admin was using "named address" something like object groups and this can cause some issues in the VPN crypto map. I'm asking to the admin to change the "named address" to the IP address. I will let you know how it goes.

 

Regards

0 Helpful

mkazam001
Level 3
Level 3
In response to Luis Carranza

‎11-07-2018 11:37 AM

hope it works, I only have knowledge of the ASA, not Fortigate

regards, mk

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card