08-20-2009 01:12 AM
I'm doing a POC project about VPN is to create site to site VPN between SSG and Fortinet 200. I have already setting ssg and fortinet, but i confused why client pc behind ssg cannot ping to client pc behind fortinet or vice versa after tunnel is active.
I also attached screen capture of configuration. if we see at logs the authentication and phase 1, phase 2 is completed.
i need advice asap...
Note: any guide for this?
Thanks in advanced
Solved! Go to Solution.
08-20-2009 01:27 AM
seems like the vpn tunnel is down. do u enable monitoring on phase 2 ? if yes, try to disable it , and the second could you see byte sent from the policy log ? or traffic already hit VPN policy ? if yes we already sent the packet to the tunnel and not get the reply from the peer. try also doing debug flow basic with filter
08-20-2009 01:32 AM
Just for addition, you can also try the VPN troubleshooting guide on KB
How do I troubleshoot a Site-to-Site VPN where the SA is Up, but the status is Down?
08-20-2009 04:01 AM
yes you're right the SA status is active, but the tunnel is down if wee see in tunnel monitoring.
yes i enabled monitoring on phase 2. why have to disable it?
if i see in the log there are traffics hit policy but i think cannot pass through the ssg to outside, because if see in log policy the traffics from source to destination is close response... there are no byte sent.
actually what is the meaning of SA active but Link is down? when SA is active its suppose to be the tunnel is connected right?
for info: after SA is active, but Link is down see in monitoring tunnel in ssg, i just can ping to the fortinet public interface from client pc behind ssg but cannot to client pc behind fortinet.
actually what do you think about my configuration if you see the logs i sent to you before.. does the tunnel connected right?
do you have a guide to configure site to site VPN between ssg and fortinet? because maybe something wrong or less in my configuration, so i need some documentation to make sure its right.
I need more input from you...
Thanks a lot.
08-20-2009 04:33 AM
if the peer is non juniper device, you should disable monitoring. if not the link status will show down.
Please try to disable monitoring first and see the traffic ( unset vpn <vpn> monitor.)
i after disable monitoring still can not passing data, please check the log policy, does policy log show bytes sent?
if u mind, u can send me the config and also the screenShot of policy log, but try first to disable vpn monitoring
08-20-2009 04:40 AM
The following some information that i can get from KB, maybe help you to fix the problem
The remote gateway is a non Juniper device and not able to understand the proprietary VPN monitoring packets sent by the Juniper device, and the remote gateway is dropping the packets.
To correct this problem, configure the Source interface and Destination IP in the VPN monitor, so that a host (which can reply for a regular ICMP request) behind the non Juniper device is tracked.
VPN monitor periodically sends ICMP requests to the end host and expects a reply, so make sure the end host has ping enabled and is not down. Also, ICMP needs to be enabled/permitted by the remote VPN gateway to allow the VPN Monitor packets.
08-20-2009 05:20 AM
Ok i will try your suggestion on next week... and i will tell you about the updates on next week.
Thanks a lot for your support.
08-21-2009 05:33 AM - edited 08-21-2009 05:37 AM
From the screenshot you sent for Juniper device, i think you have configured Policy based VPN- ON Juniper
I would like to suggest you following things and request you to follow them in sequence.
1: Check and confirm all the setting on Fortigate if its policy based or not. Because i can't see that from your fortigate configuration as you just sent screenshot of the logs. Trust me fortigate logs are not so informative from GUI.So the logs screenshot that you pulled out here are only holding 5 % of nformation which you would need. You can either choose the RAW logs from your logs tabs and it will give you some more details about the logs.
2: Juniper device follows Dial on Demand VPN, which means as in when the client behind IPSEC Gateway initiate a interested traffic for the opposite side PSEC Gateway, it initiates the tunnel and do the negotiation. Now in your case i can see that from the logs that your Juniper firewall has done successful Phase II negotiation and then it should work. so the question comes, why its not working.
Now here is a thing about Fortigate:-
Fortigate also follows Dial on demand VPN, but at the same time it gives you an option to BRING UP the tunnel from the MONITOR TAB of the IPSEC Connections. if i assume right then may be when you finished all your configuration on both the firewalls, you are going to fortigate and clicking on BRING UP the tunnel, and it would come showing BRING DOWN.
( There is a possibility this way, that VPN comes up, but the traffic will not pass) The reason is VPN is up because the configuration of phases are fine
( There is also a possibility that Tunnel will not come up if your configurations are not fine)
3: Now you would like to know how to get all the detailed logs from Fortigate : Bingo
Note: Before you work on these commands make sure you traffic or tunnel initiator should be Juniper then only you will get good details from the logs on
Fortigate as Juniper should be initiator and Fortigate should be recipient.
Log into the fortigate unit from cli and commands are below:-
a: For Policy based VPN
# diagnose debug enable ( # This command will give you all the details about actual vpn logs while negotiation)
# diagnose debug application ike2 ( #This command will give you all the details about the phase 2 logs)
b: For Route Based VPN
# diagnose debug flow show console enable (#This would show ou all the message on the Cli window itself)
# show trace messages on console (# For Trace Msg)
# diagnose debug flow trace start 2 (# shows Actual logs as to why the traffic is not being allowed)
Now About Juniper:
On Juniper all the logs are very clear as it displays them on the dashboard and its easy to troubleshoot also. So i would not comment on that part.
Taking about the Tunnel LINK DOWN ?
Yes i think its because of the wrong interface ( it should be your External Interface which would just initiate a ICMP to the Desination gateway and show you
if the link is up or not. I dont see that any reason why fortigate would reject it)
However still if you feel you want to test it: then follow this:
Log into the CLI of Fortigate:
Fire this command:- IF you want to verify if the juniper device is sending ICMP packets and Fortigate is blocking it.
$ Diagnose sniffer packets external ' host 18.104.22.168 and proto 1'
In this command " Diagnose sniffer packets" is normal and it would come up the moment you use TAB key ( its autocomplete)
"external " it is the interface on which you would be sniffing the packets. Now " proto 1 " is the protocol number of ICMP
Fire This command: - IF you want to check and verify if the Juniper is sending some packets on port 500 or not.
$ Diagnose sniffer packets external ' host 22.214.171.124 and port 500'
Above suggestion should resolve your problems. if not then please paste the output of
$ diagnose debug enable " from the fortigate"
all the best!!!
08-26-2009 12:54 AM
I already tested according your suggestion, i disabled vpn monitoring and it can run well and client between 2 site can ping each other.
for now i used static IP address on both SSG and Fortinet.
my next question is: for example i want to configure like this:
1. in Fortinet using stataic IP like current condition
2. in SSG using dynamic ip from ISP.
how to configured dynamic IP in SSG, so fortinet can establish VPN connection with SSG?
08-26-2009 01:28 AM
Let say SSG140 ( Site A ) and Fortinet (SIte B )
Site A : dynamic ip
Pre-shared : netscreen
P1 Proposal : pre-g2-3des-sha
P2 Proposal : g2-esp-3des-sha
Site B : 126.96.36.199
Pre-shared : netscreen
P1 Proposal : pre-g2-3des-sha
P2 Proposal : g2-esp-3des-sha
For dynamic ip u can use local id as indentifier. in this case i use email address firstname.lastname@example.org and use aggresive mode since this using dynamic IP.
for detail config like below
or u can refer also to this KB for detail