Home > Uncategorized > Fortigate VPN problems? Tell your Fortigate what to do.

Fortigate VPN problems? Tell your Fortigate what to do.

I spent a long while trying to bring up a tunnel to a third party over a dedicated extranet using a Fortigate and a Checkpoint.

The IPsec phase configs were very simple.  And we double checked several times that they were the same.  I even produced PCAP files at the interface to verify.

The majority of the complexity was in the network configuration.

Basically, our “routing provider” (extranet), by their policy, would not do us the favor of NATing by packet destination address.  They would only perform NATing by source address.  Since we were using them to inter-connect to two different sites, we had two different NAT address pools to pick from, one that each destination was expecting.

The second, and troublesome, third party we were inter-connecting to required that a VPN be put in place.  “No problem!” I thought (of course).  But I didn’t foresee how the dumbed-down configuration methods that Fortigate has would so greatly affect the difficulty.

First off, I had to change the source address of the IPsec packets that were destined for this third party (let’s call them Bob).  Bob would only accept traffic from, and the only way my packets would be NATed to this is if they were tagged with the source address  “Simple,” you think. “That’s what a NAT statement at the interface is for!”  Wrong.  Not on a Fortigate.  On a Fortigate, the setting is configured IN the VPN tunnel Phase 1 configuration, and the setting is called “Local Gateway Address.” How is any of this related to a “local gateway?”  And why would I be configuring the “local gateway address” to be the source IP of my IPsec packets?  What madness!

Anyway, after figuring out this cryptically named setting.  I saw the packets… I saw them going… Bob saw them coming… Bob then replied… I saw them coming back…  But, yes, after over 10 hours of active troubleshooting, calls to Fortinet (“is this a bug?!”), everyone realized… The Fortigate didn’t know where lived!  I really think this is VERY stupid… they make it idiot proof, with their “friendly” “local gateway address” setting (when all I want is to just NAT some damn packets at the interface), but don’t want to make it too idiot-proof and associate a secondary IP with the interface, so the Fortigate knows what that traffic is.  But… no.  I can’t just add a secondary IP to an interface that’s within a subnet that exists on any interface… there’s a boolean setting for that (per vdom).  That setting is:

config system settings 
set allow-subnet-overlap enable

Once you set this, don’t you dare try to set the secondary IP in the GUI, where there is a nice shiny button… Because, it won’t allow you to set it!  You must do that through the CLI as well, the setting is :

config system interface
edit [interface name]
 set secondary-IP

So, all in all, you want something to work?  You have to tell it to work.

It’s things like this that make me question why I call myself an infrastructure engineer!

Remember the following things are your friends!

#debug vpn
diag debug enable
diag debug console timestamp enable
diag debug app ike -1

#sniff traffic
diag debug enable
diag debug console timestamp enable
diag sniffer packet any 'host [ip address]' 1

#debug firewall policy packet flow
diag debug enable
diag debug console timestamp enable
diag debug flow filter addr
diag debug flow show console enable
diag debug flow trace start 1000

#clear all debugging stuff
diag debug flow show console disable
diag debug flow trace stop
diag debug flow filter clear
diag debug disable
diag debug reset
  1. October 3, 2013 at 7:11 pm

    Awesome post, thank you!
    I really liked the small summary for the debugging in the end too! Very handy.

  2. Geri
    February 10, 2016 at 3:53 am

    hi mbrownnyc. im trying to do more/less a config like your post…explanation:
    Internal Lan – FGT ====vpn ipsec===FGT (webfilter/applcontrol/av) == nat Internet
    Got packet lost, session mismatched, issues related to download files etc…pleaaase i’m not a network engineer but any help or idea would be MUCH MUCH appreciated.
    Fortnet is asking for debug etc but no valid response.
    tried, everything(almost) MTU settings, session-ttl etc etc but no chance.

    • February 10, 2016 at 6:50 am

      The VPN and the “issues related to download files” are isolated. From your LAN, you get Internet access via a VPN tunnel to another Fortigate device?

  3. geri
    February 10, 2016 at 7:26 am

    yes Correct. Since FortiGuard Service is Expired on my FGT, i’m trying to ; webfilter/av/appl control etc from another FGT with valid subscription. Also tried to “navigate” without any restrictions same story (so its not me blocking myself)…. Got session drops (ping active all the time, exchange server, Skype etc…all of these got disconnections and {seems to me-session lost}) i beg your pardon for my poor English and/or not so technical in my explanations.
    So far I got enabled disabled re-enabled as follows :
    Fortiguard Services All, Proxy Options, Client comfort, ttl-session, MTU values, Nat-tranversal, Update Firmware to 5,2 build 711, almost forgot, MTU values in my OSPF interfaces…nothing …still got issues.

    maybe I can give you a hint: Proxy instead is working fine.(300 PC with proxy can be a pain in the OS SACRUM – its not an valid option!!!!)

    Successful config done before:
    Lan>FGT200B >>routers > Layer2/802.11 Vlan connection > FGT310B with Active Fortiguard > Internet = EVERY DARN THING WAS FINE ! (10 km of dark fiber)

    Oh man..its driving me crazy, fortinet is asking for debug logs, then ask me for net diagrams and SILENCE !
    PLEASE HELP. any suggestions, change or try, I got no restrictions at all so i can apply it almost immediately.
    THANK YOU VERY MUCH IN ADVANCE ! greetings from Albania.

    • February 10, 2016 at 11:35 am

      What did Fortigate say? Why aren’t you leveraging them? The MTU settings shouldn’t be modified. The only time I’ve seen (in recent years) this be modified is when dealing with jumbo frames with iSCSI SAN. What OSPF interface? Dark fibre? Are you tossing out these phrases for fun or are you a network engineer? Either way, my suggestion is, find a network engineer to redesign this part of your network or continue to work with Fortinet support. The design seems flawed and needs to be cleaned up.

      • February 11, 2016 at 4:17 am

        sorry if I express myself , maybe in wrong way..Just wanted to give you more info, fun is over since I cannot do Fortiguard on my FGT310B. And yes, my network is designed by engineer. These Modifications were made not by chance, since 2 weeks asking over and over, so Do 1 Step-See Results- Go back.
        forget everything…all settings are as should be. MTU Values reset to default (1500).
        My final question is:
        LAN>FGT310B>> IPSEC = 2-IndipendentTunnels (2 different Public IP-200Mb) (in ZONE) >> FGT800C > Internet.
        Controlling internet content with another firewall in another country, that’s my intention.
        What can I do to reduce Session Mismatch, drop sessions, etc? is there anything on IPSEC Tunnels I should modify (IKE 1) , NAT, or any hint that I should check? is a latency,ipsec,nat,zone what the heck is the problem? Thank you & heve a nice day.

        • February 11, 2016 at 7:14 am

          It sounds like you have a VPN issue. Have you reviewed logs? What about running the debug commands? Can the VPN establish connection?

          • February 11, 2016 at 7:47 am

            VPN’s is UP all the time. no disconnections. Tunnels no issues at all. The debug (from what they Translated to me), there found: session mismatch (at the FGT that’s NAT.ing ).I repeat, this kind of “networking” is doing fine, except for the fact of loosing/renewing sessions.
            Download of any size, video &, Streaming, icmp, randomly restarting. measured the time-lapse of these problems..no relation or specific time when this happens.
            talking to the guys of my ISP’s I managed to reduce drastically the latency between 2 sites, from 70ms to 40ms ! not a latency issue related.
            what’s bothering most is that PROXY is working. ok, I can tell the difference between proxy and NAT ..and maybe there is a CACHE problem..but why the heck do I have the same issues even when nobody is working, no one is accessing internet..just a simple stupid ICMP running…packet lost packet lost(renew sessions)!

            • February 11, 2016 at 8:39 am

              I don’t have answers for you. If you focus on each piece, and dedicate yourself to resolving each piece, you will resolve the entire thing. You have session mis-matches, fix them. You have other problems, fix them. I have nothing else to add here.

  4. February 11, 2016 at 8:59 am

    oh, at least..some statement to do a tattoo with !.that’s precisely what I did and keep doing. thanks for your time. Cheers & have a nice day.

  1. November 23, 2011 at 10:02 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: