Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2462
Views
0
Helpful
9
Replies

Issue IPsec ASA 5516 to Fortigate

antoniuszoan
Level 1
Level 1

‎10-02-2019 09:29 AM - edited ‎02-21-2020 09:32 AM

IPSEC.jpg

I have Cisco ASA 5516 and i want to connect fortigate via IPsec . IPSec its done but i cant ping from my local to remote, and remote to local. Maybe someone to help me solve this issue.

In this issue from my local server can ping gateway on fortigate

122.PNG

but i can't ping another server behind fortigate and from fortigate cant ping my gateway or server behind ASA

please help me to solve this issue.

config on fortigate i think ok,  i dont know about my ASA .

my config on asa was attachment.

 

Preview file
10 KB
0 Helpful
9 Replies 9

Richard Burts
Hall of Fame
Hall of Fame

‎10-02-2019 10:02 AM

I took a quick look and your ASA configuration seems appropriate. And the fact that ping from your server to 10.1.128.250 indicates that at least part of your vpn is working. Would you do the ping again and then post the output of show crypto ipsec sa from your ASA to verify this.

 

We do not have much detail to work with for this problem. Can you tell us what other address you are trying to ping behind the Fortigate that is not successful? Can you tell us what address behind fortigate is attempting to ping what address in your network that is not successful?

 

HTH

 

Rick

HTH

Rick
0 Helpful

antoniuszoan
Level 1
Level 1
In response to Richard Burts

‎10-02-2019 10:23 AM

FIREWALL# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 203.171.221.2

access-list outside_cryptomap extended permit ip 10.160.40.0 255.255.255.0 10.1.128.0 255.255.255.0
local ident (addr/mask/prot/port): (10.160.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.128.0/255.255.255.0/0/0)
current_peer: 36.66.67.38


#pkts encaps: 17920, #pkts encrypt: 17920, #pkts digest: 17920
#pkts decaps: 16514, #pkts decrypt: 16514, #pkts verify: 16514
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 17920, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 203.171.221.2/0, remote crypto endpt.: 36.66.67.38/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 25907DF0
current inbound spi : 7B666576

inbound esp sas:
spi: 0x7B666576 (2070308214)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 161050624, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373032/5181)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFBF 0xFFFFFFFF
outbound esp sas:
spi: 0x25907DF0 (630226416)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 161050624, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4372949/5180)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

2.JPG

I try to ping this address but RTO

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to antoniuszoan

‎10-02-2019 10:37 AM

Hi,

It is looking good as

local ident (addr/mask/prot/port): (10.160.40.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.128.0/255.255.255.0/0/0)
current_peer: 36.66.67.38


#pkts encaps: 17920, #pkts encrypt: 17920, #pkts digest: 17920
#pkts decaps: 16514, #pkts decrypt: 16514, #pkts verify: 16514

 

Check at FortiGate site. I am suspecting as FortiGate policy or Local System Firewalls.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Deepak Kumar

‎10-02-2019 12:04 PM

Thank you for the output that I requested. It clearly shows that the vpn is successfully negotiated and is sending and receiving over the vpn

#pkts encaps: 17920, #pkts encrypt: 17920, #pkts digest: 17920
#pkts decaps: 16514, #pkts decrypt: 16514, #pkts verify: 16514

The negotiated parameters clearly include any host in your specific subnet to any host in the specific remote subnet should be carried through the vpn. If you are attempting to ping another host in that remote subnet and the ping is failing then I do not believe that it is any issue with the vpn on your side. I believe that possible causes of the problem may include:

- is that remote IP actually assigned to a device in the remote subnet? And is that device actually active on the network at the time you attempt the ping?

- does that device respond to ping? (many hosts have firewalls or other security policies that do not allow ping from remote addresses)

- is there any security policy on the Fortigate that treats that host differently?

- is there any address translation on the Fortigate that treats that host differently?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎10-02-2019 10:26 AM

Hi,

ASA configuration is looking good in the first phase but same time, Have you checked your FortiGate Policies, route?

Share VPN show command output from the ASA and route & policy details from the Fortigate.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

antoniuszoan
Level 1
Level 1
In response to Deepak Kumar

‎10-02-2019 11:29 PM

Hi, maybe u can check this fortigate config

Preview file
158 KB
0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to antoniuszoan

‎10-03-2019 05:27 AM

It is very difficult for me to read and understand FortiGate Configuration in Text format. It would be easy for us to understand if you post screenshot of Fortigate end VPN configuration. As earlier experts confirmed that the Tunnel Configuration at ASA side seems fine. There are few things you can do to troubleshoot.

On ASA you can run Packet Tracer to be double sure that ASA is not blocking traffic.
On FortiGate you can do packet capture while running continues ping to the remote Host. Even if you want you can capture packet at ASA as well.
Make sure both Hosts are configured with proper IP/Subnet/Gateway, along with host based Firewall/Antivirus.

This way you get to know traffic is reaching at either end and why and who is dropping the traffic.

HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful

antoniuszoan
Level 1
Level 1
In response to bhargavdesai

‎10-03-2019 11:48 PM

WhatsApp Image 2019-10-04 at 13.43.36.jpeg

WhatsApp Image 2019-10-04 at 13.38.38.jpeg

this config on fortigate.

0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to antoniuszoan

‎10-04-2019 03:49 AM

There are few things I mentioned earlier. Can you post logs/output or verify for the same.

On ASA you can run Packet Tracer to be double sure that ASA is not blocking traffic.
On FortiGate you can do packet capture while running continues ping to the remote Host. Even if you want you can capture packet at ASA as well.
Make sure both Hosts are configured with proper IP/Subnet/Gateway, along with host based Firewall/Antivirus.

Even if you want we can collaboratively work on the issue. PM me to take this further.


HTH
### RATE ALL HELPFUL RESPONSES ###
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card