Vpn/sdwan/ipsec site to site issue

Hi,

I am testing two subnets to a remote site.

HQ:

Subnet 1: 192.168.1.0/24

Subnet 2: 192.168.2.0/24

I have tested the connectivity and captured packets. The traffic is exiting the VPN interface (e.g., test-vpn). Assuming the routing policies are correct, the following observations were made:

Subnet 1 is working. can reach 192.168.10.0/24

Subnet 2 is not working. cant reach 192.168.10.0/24

Branch:

The branch firewall shows that packets received from the source 192.168.2.0 network are zero.

I don’t think the ISP is blocking the traffic because one subnet is working.

What I Noticed:

I had a previous tunnel configuration like the one below, but it is currently down. Traffic that matched the previous tunnel configuration does not work anymore.

plaintext

Copy code

edit “vlan2-to-cloud”

set phase1name “VpnToCloud”

set proposal aes256-sha256

set dhgrp 5

set src-subnet 192.168.2.0 255.255.255.0

set dst-subnet 192.168.10.0 255.255.255.0

Commands Used:

get router info routing-table details 192.168.10.1

Cannot access this subnet from 192.168.2.0/24.

This subnet can be accessed from 192.168.1.0/24.

diag deb flow filter addr 192.168.10.1

diag deb flow trace start 500

diag deb en

Please help.

If traffic is leaving HQ correctly what do you see on the branch?

What firmware? We had an issue when we upgraded to 7.2.x. We could see traffic leaving but tunnel was down. Reverted back and came back. Oddly it works fine on the branch firewall. When we updated on main it broke it.

Your phase 1 and phase 2 are up ?

I can see from the subnet Subnet 1: 192.168.1.0/24 but not from Subnet 1: 192.168.2.0/24

7.2.5, tunnel is up, some traffic is going as I said earlier

Then traffic isn’t leaving HQ correctly and you should see that in a debug flow.

coud you share your tunnel after masking sensitive info

FGT (root) # diag deb flow filter addr 192.168.10.1

FGT (root) # diag deb flow trace start 500

FGT (root) # diag deb en

This is not working ( i sent 1 ICMP packet )

FGT (root) # id=65308 trace_id=10644 func=print_pkt_detail line=5779 msg="vd-root:0 received a packet(proto=1, 192.168.2.10:13->192.168.10.1:2048) tun_id=0.0.0.

0 from CoreSide. type=8, code=0, id=13, seq=52104."

id=65308 trace_id=10644 func=init_ip_session_common line=5964 msg=“allocate a new session-902447c9, tun_id=0.0.0.0”

id=65308 trace_id=10644 func=rpdb_srv_match_input line=1046 msg=“Match policy routing id=2134179855: to 192.168.10.1 via ifindex-74”

id=65308 trace_id=10644 func=vf_ip_route_input_common line=2605 msg=“find a route: flag=00000000 gw-10.0.0.3 via VPN-1”

id=65308 trace_id=10644 func=__iprope_tree_check line=528 msg=“gnum-100004, use int hash, slot=50, len=3”

id=65308 trace_id=10644 func=fw_forward_handler line=990 msg=“Allowed by Policy-239:”

id=65308 trace_id=10644 func=ipsecdev_hard_start_xmit line=669 msg=“enter IPSec interface VPN-1, tun_id=0.0.0.0”

id=65308 trace_id=10644 func=_do_ipsecdev_hard_start_xmit line=229 msg=“output to IPSec tunnel VPN-1 vrf 0”

id=65308 trace_id=10644 func=esp_output4 line=895 msg=“IPsec encrypt/auth”

id=65308 trace_id=10644 func=ipsec_output_finish line=629 msg=“send to X.X.X.X via intf-port28”

where x.x.x.x is my router ip masked

And that same debug flow on the branch is showing nothing?

Check the routing at the remote site, make sure there is a route to Subnet 2