Hi Marvin,

Thanks for the input. I adjusted the NAT to include the destination. I had it like this before and changed it to test. I am trying everything now ;)

No, I am not seeing any SA's for the network 10.10.7.0. Only for the 10.2.0.0 when I am generating traffic from inside to the 192.168.8.0 network.

See attached for the packet tracer.

Thanks,

Brandon

The packet-tracer GUI seems to be saying an ACL is causing it to fail on the VPN phase. That doesn't make sense given what you shared above though. I've know the GUI to sometimes mislead though.

Can you run it from cli so we can see more detail? e.g.:

packet-tracer input inside tcp 10.10.7.10 http 192.168.8.96 http detail

...assuming your inside interface is named "inside"

Here you go - see attached.

Does remote-tunnel administrator allow your subnet "10.10.7.0 255.255.255.0" traverse via the tunnel ?

Yes, I just posted the policy above from the remote end.

I'm with rizwanr74 on this - it looks like the remote side doesn't have a matching crypto map entry so there's not a corresponding IPsec SA that the VPN can put the encrypted packets into.

The packet tracer output and the fact that "show crypto ipsec sa" doesn't show the SAs for the 10.10.7.0/24 network both lead to that conclusion.

Okay, thanks guys. I think you guys are right :)

I just checked the Fortinet Policy at the remote device and it looks like I did not set a policy allowing anything from source 10.10.7.0/24 to the 192.168.8.96. I will adjust the policy tomorrow and let you know the results.

Actually, after reviewing the Firewall policy on the other side it looks right.

See below output from the CLI "sh firewall policy" on the Fortigate:

"internal1" = 192.168.8.0/24
"SERVER" = 192.168.8.96/32
"DATA CENTER" = 10.2.2.0/24
"MPLS" = 10.10.7.0/24

edit 69
        set srcintf "internal1"
        set dstintf "wan1"
            set srcaddr "SERVER"             
            set dstaddr "DATA CENTER" "MPLS"             
        set action ipsec
        set schedule "always"
            set service "ANY"             
        set inbound enable
        set outbound enable
        set vpntunnel "DATACENTER-WINDSTREAM"

The Data Center subnet 10.2.2.0/24 works and the the 10.10.7.0/24 is not working. Could this be failing because I am only
allowing traffic to the host .96 IP address? The policy for the 192.168.8.0/24 and 10.2.2.0/24 is naming the entire network
and I have the non-working policy to only permit traffic from the 10.10.7.0/24 network to the host IP 192.168.8.96. I would not think so,
but it is a difference in the policy

Thanks,

Brandon

Hi Brandon,

"Could this be failing because I am only allowing traffic to the host .96 IP address?"

Whether it is host IP address or entire subnet mask that you include in the tunnel at one end and you must match them at other end as well, eye for an eye match.

"I have the non-working policy to only permit traffic from the 10.10.7.0/24 network to the host IP 192.168.8.96."

If you can permit the missing subnet "10.10.7.0/24" on Fortigate gear should resolve your problem and if that is not doable on Fortigate device, then you can put in place a dynamic-policy nat on ASA and this is an alternate solution could work as well.

Hope that answers your question.

Thanks

I have confirmed the policy on the Fortinet posted above and the crypto ACL matches. I am permitting 10.10.7.0/24 to host 192.168.8.96/32 on the ASA side. And the policy on the Fortinet is allowing traffic to the 192.168.8.96/32 from the 10.10.7.0/24.

In the fortinet, there is another policy permitting traffic between entire subnets 192.168.8.0/24 and 10.10.7.0/24. But the policy permitting the traffic between 10.10.7.0 and 192.168.8.96 is first in the policy rules.

See attached Text with ACL/Policy for each side. I have attached  snippet of both relevant configurations.

Anything else it could be?
 

Hi Brandon,

Line "A":  "I am permitting 10.10.7.0/24 to host 192.168.8.96/32 on the ASA side. And the policy on the Fortinet is allowing traffic to the 192.168.8.96/32 from the 10.10.7.0/24."

If the line "A" is true, then please make sure that you have nat exemption in is placed for source and destination mentioned in the line "A", and you make sure that ASA can reaches the subnet  "10.10.7.0/24" via the inside interface, a static route for sake, can you confirm this?

thanks

Hi Rizwanr74, thanks for the suggestion. Yes, the nat exempt is there and the routing is good. I have a static route on the inside interface to the 10.10.7.0 network and I can ping the inside interface of the ASA from the 10.10.7.0/24 network. And vise versa.

Here is what I have for the NAT exemption:

object network NETWORK_OBJECT_192.168.8.0
 subnet 192.168.8.0 255.255.255.0

!

nat (DATA_VLAN,outside) source static NETWORK_OBJECT_10.10.7.0 NETWORK_OBJECT_10.10.7.0 destination static NETWORK_OBJECT_192.168.8.0 NETWORK_OBJECT_192.168.8.0 route-lookup.

Does that look right to you?

Thanks,

Brandon

While troubleshooting this, should I see hits on the ASA crypto ACL if at least that side was right. I am sourcing the traffic from the 10.10.7.0 network and not seeing any hits.

FLDC-ASA-2# sh access-list | inc CRYPTO_ACL
access-list CRYPTO_ACL line 2 extended permit ip 10.10.7.0 255.255.255.0 host 192.168.8.96 log informational interval 300 (hitcnt=0) 0xf36c2de4