Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1870
Views
0
Helpful
7
Replies

ASA-2-FORTIGATE SITE -2-SITE

Ahmed Abdi
Level 1
Level 1

‎07-27-2015 05:06 AM

Hi,

 

I have established site to site vpn tunnel between ASA 5505 and Fortigate Firewall, the tunnel is up and also traffic from the ASA LAN

to the Fortigate LAN is perfectly working(ICMP,Telnet), but the traffic from Fortigate LAN to the ASA LAN is completely  not working.

 

 

ASA-LAN----->ASA_GATEWAY------------Internet ----------------------------Fortigate-VPN Gateway------------------Fortigate-LAN

 

From ASA LAN----to--Fortigate LAN === OK

From Fortigate-LAN -- to--ASA-LAN ==== not working..

 

Fortigate Policies is in place

ASA Firewall Rules is also in place.   --- I have Created one Outside Rule From Fortigate-LAN-2-ASA-LAN and also created

one Inside-Rule from ASA-LAN-2-Fortigate-LAN.

Please help me if I am missing some configurations.

 

 

Ahmed

 

Labels:
0 Helpful
7 Replies 7

Boris Uskov
Level 4
Level 4

‎07-27-2015 05:17 AM

Hello, Ahmed.

Let's try to isolate the problem. You can you the following command on ASA:

show crypto ipsec sa | i encaps|decaps

By this command you'll see, if the packets from Fortigate's LAN are coming to ASA. So, please, try to initiate some connections from Fortigate's LAN to ASA's LAN and simultaneously issue show crypto ipsec sa | i encaps|decaps command on ASA.

If you'll see, that "decaps" counters are increasing, will be sure, that the packets from Fortigate reach the ASA, and ASA is able to decapsulate them. If counters are not increasing, the issue is somewhere on the link or on the Fortigate. 

0 Helpful

Ahmed Abdi
Level 1
Level 1
In response to Boris Uskov

‎07-28-2015 07:48 AM

Boris,


Thanks for the valuable tips, I think the problem is from Fortigate side and I will keep 

looking what I am missing.

thanks

 

Sorry for my broken English

0 Helpful

Hitesh Vinzoda
Level 4
Level 4

‎07-30-2015 11:22 PM

how does you policies for Fortigate looks like, If its policy based VPN on Fortigate with action as IPsec then move it to top and make source and destination specific instead of all to all.

 

HTH

Hitesh

0 Helpful

Ahmed Abdi
Level 1
Level 1
In response to Hitesh Vinzoda

‎08-01-2015 07:20 AM

Hi Hitesh,

 

Fortigate policies are in the top of all policies, still there is only one way connection (From ASA LAN to Fortigate LAN is ok) but the other way connectivity is not happening.

Also static route towards to the Fortigate phase 1 interface is in place.

 

 

 

0 Helpful

Hitesh Vinzoda
Level 4
Level 4
In response to Ahmed Abdi

‎08-01-2015 07:29 AM

Hi Ahmed

Please go to phase 1 settings of the fortigate and check if interface is enabled or not. If it's not then you would need to remove static route towards tunnel.

Secondly please check for any policy routes under routes to check if you don't have a override there.

 

Also provide the output of 

 

Diag  vpn tunnel list and 

Get router info routing-table all

 

Thanks

Hitesh

0 Helpful

Ahmed Abdi
Level 1
Level 1
In response to Hitesh Vinzoda

‎08-01-2015 10:36 PM

Hi Hitesh,

Thanks for the valuable tips, 

the phase 1 interface for the fortigate is enabled, and there is no routes that looks to be overridden.

 

Attached is the 

Diag  vpn tunnel list and 

Get router info routing-table all

 

 

 

Preview file
21 KB
0 Helpful

rick_sorkin
Level 1
Level 1

‎04-29-2021 05:19 AM

hello @Ahmed Abdi 

can you screenshot the policies in place + routes from the fortigate firewall?

thanks 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents