06-20-2014 06:42 AM
Here is some traffic being sent from my DMZ to the internet and I am trying to determine whats happening. How would the community read this information
Session 192980
c2s flow:
source: 172.17.1.5 [DR-DMZ]
dst: 199.169.208.244
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
pbf rule: Fedline 12
s2c flow:
source: 199.169.208.244 [Outside]
dst: 66.94.196.101
proto: 17
sport: 500 dport: 500
state: ACTIVE type: FLOW
src user: unknown
dst user: unknown
start time : Tue Jun 17 14:25:00 2014
timeout : 600 sec
time to live : 600 sec
total byte count(c2s) : 7012782
total byte count(s2c) : 0
layer7 packet count(c2s) : 23853
layer7 packet count(s2c) : 0
vsys : vsys1
application : ike
rule : Rule 6
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : Fedline_DR(vsys1)
layer7 processing : completed
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : vlan.999
egress interface : ethernet1/3
session QoS rule : N/A (class 4)
session tracker stage l7proc : ctd err sw
06-20-2014 08:46 AM
Hello Infotech,
It seems the IKE packet is getting NAT'd. So, the remote-identity on the peer device should have the NAT'd IP, not the actual IP address-172.17.1.5.
Could you please confirm this. Also, could you please brief about the PBF rule.
Thanks
06-20-2014 08:55 AM
My pbf is this
Source
source zone is DR-DMZ
Source address is 172.17.1.5
Source user - any
Destination/Application/Service
Destination address is - any
Application - any
Service is - any
Forwarding
Action - forward
Egress interface - ethernet1/3
Next hop is 66.94.196.107
Nat policy rule
Original packet
Source zone
DR-DMZ
Outside
Destination Zone
outside
Destination interface
any
Service
any
Source address
172.17.1.5
Translated packet
static IP
translated address 66.94.196.101
Bi-directional
06-20-2014 09:12 AM
Hello Infotech,
Would it be possible to do a small test:
- Set the PAN as VPN initiator.
-Create a new NAT policy ( on the top of the policy table) to interface IP ( ethernet-1/3) only from source 172.17.1.5
-Initiate the VPN with CLI command >test vpn ike-sa gateway GTW-NAME
--Then check system logs for VPN.
Thanks
06-20-2014 09:19 AM
Sure I can give that a try and will let you know the result when I have completed this test
06-20-2014 09:25 AM
Where do you set the PA as intiator?
06-20-2014 09:32 AM
If you apply >test vpn ike-sa gateway GTW-NAME, it will be acting as an initiator. Just double check "passive-mode" check-box is not checked.
Thanks
06-20-2014 09:38 AM
Okay since it is a fortinet device that is suppose to create the vpn tunnel I am not sure I have a gateway to do the test vpn ike-sa
06-20-2014 12:18 PM
OK, If Fortinet FW is is the VPN initiator, then look at the "system" , "ike-mgr" logs to ensure PAN is receiving the IKE packets and responding back.
Thanks
06-24-2014 11:10 AM
I'd do a packet capture using the transmit stage. Also enter a drop stage capture too and check both resultant files.
06-24-2014 11:57 AM
I have done packet captures it transmits and there are no drops. So that means it is reaching the internet?
07-01-2014 11:23 AM
How can
I tell from the ike-mgr and system logs that the pan is receiving ike responses? My understanding is the fortinet behind tha PAN is the initiator
07-01-2014 12:15 PM
Hello Infotech,
System logs should show the received IKE messages with responder cookies as 00000000.
Thanks
07-01-2014 12:19 PM
So do I look under monitor->system and then filter by ike?
07-01-2014 12:24 PM
Yes, you are correct. (You may also check ike-mgr logs for more detail info.)
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
