07-27-2015 05:06 AM
Hi,
I have established site to site vpn tunnel between ASA 5505 and Fortigate Firewall, the tunnel is up and also traffic from the ASA LAN
to the Fortigate LAN is perfectly working(ICMP,Telnet), but the traffic from Fortigate LAN to the ASA LAN is completely not working.
ASA-LAN----->ASA_GATEWAY------------Internet ----------------------------Fortigate-VPN Gateway------------------Fortigate-LAN
From ASA LAN----to--Fortigate LAN === OK
From Fortigate-LAN -- to--ASA-LAN ==== not working..
Fortigate Policies is in place
ASA Firewall Rules is also in place. --- I have Created one Outside Rule From Fortigate-LAN-2-ASA-LAN and also created
one Inside-Rule from ASA-LAN-2-Fortigate-LAN.
Please help me if I am missing some configurations.
Ahmed
07-27-2015 05:17 AM
Hello, Ahmed.
Let's try to isolate the problem. You can you the following command on ASA:
show crypto ipsec sa | i encaps|decaps
By this command you'll see, if the packets from Fortigate's LAN are coming to ASA. So, please, try to initiate some connections from Fortigate's LAN to ASA's LAN and simultaneously issue show crypto ipsec sa | i encaps|decaps command on ASA.
If you'll see, that "decaps" counters are increasing, will be sure, that the packets from Fortigate reach the ASA, and ASA is able to decapsulate them. If counters are not increasing, the issue is somewhere on the link or on the Fortigate.
07-28-2015 07:48 AM
Boris,
Thanks for the valuable tips, I think the problem is from Fortigate side and I will keep
looking what I am missing.
thanks
Sorry for my broken English
07-30-2015 11:22 PM
how does you policies for Fortigate looks like, If its policy based VPN on Fortigate with action as IPsec then move it to top and make source and destination specific instead of all to all.
HTH
Hitesh
08-01-2015 07:20 AM
Hi Hitesh,
Fortigate policies are in the top of all policies, still there is only one way connection (From ASA LAN to Fortigate LAN is ok) but the other way connectivity is not happening.
Also static route towards to the Fortigate phase 1 interface is in place.
08-01-2015 07:29 AM
Hi Ahmed
Please go to phase 1 settings of the fortigate and check if interface is enabled or not. If it's not then you would need to remove static route towards tunnel.
Secondly please check for any policy routes under routes to check if you don't have a override there.
Also provide the output of
Diag vpn tunnel list and
Get router info routing-table all
Thanks
Hitesh
08-01-2015 10:36 PM
04-29-2021 05:19 AM
hello @Ahmed Abdi
can you screenshot the policies in place + routes from the fortigate firewall?
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide