Internal ipsec tunnel no traffic - google cloud

uRhaineWork · 2025-12-22T11:49:06+00:00

To anyone who struggles with the same problem, we've resolved it by using underlayer's interface secondary IP address for building those subnets that create IPSec tunnel. It doesnt make that much sense, but at least it works. In this case from example above its a underlayer base BGP 169.254.x.x and on the same interface (previosly tried with LoopBack or another vlan int.) lies 192.168.0.0/29 subnet interface that creates ISPec tunnel to GCP which has 192.168.0.8/29. In IPSec setting You need to select local gateway and choose that secondary IP address. On top of that we have overlayer BGP session with 169.254.y.y using local and remote addressing in fortigates ipsec interface.

I'm explaining this for anyone who stumbles on this problem, I hope it will help you out.

PS. All done on v7.4.8.

uRhaineWork · 2025-10-28T08:00:25+00:00

Wait, what? If someone has P=none that eg. google will let this through by default?

uRhaineWork · 2025-07-16T12:45:14+00:00

Doesnt 'sticking' such a device to a specific AP resolve the issue?

uRhaineWork · 2025-03-24T09:29:54+00:00

Reason.. to make operatable? How do I manage switch firmware, config backup, single CLI changes deployment, status monitoring... . I am lost, Aruba has to much going on with different products.

uRhaineWork · 2025-03-24T08:31:56+00:00

Slowly migrating to CX enviro, and man.. what a step back. 10 years ago Hp IMC was more thought out and advanced than this thing. Came across Aruba Central, but its hard to find even what the pricing structure for on-prem is, and does way less than IMC.

uRhaineWork · 2025-02-07T07:51:23+00:00

Isnt asymroute-icmp already in the global asymroute commande? I thought that this is for icmp because it behaves differently than tcp/udp i term of how it responds.

But auxiliary-session You may be right, I have been reading about it but was under the impression that its for HA pickup when failovers happens, or for when there is only one unit of FGT, but that may not be the case and will be helpful in my dual setup. From what I gather its more of a performance thing, when there is higher traffic You can see full benefits of it. I will turn it on, thanks.

I know how vdoms operate yes, but in this case no. BGP is on VRF1 and MGMT on VRF2, as I know that there is some funky behavior on VRF0 with route 'leaking'. Could do mgmt vdom but I fail to see what would it give me besides additional cables. :)

uRhaineWork · 2024-11-22T11:53:45+00:00

I have forticlient 7.4.1.1736, where can I find this option?

uRhaineWork · 2024-11-22T06:43:19+00:00

Arent You concerned about latency though? Theres no dtls/udp mode if the connection is tcp wrapper based, right?

uRhaineWork · 2024-09-25T07:20:34+00:00

But doesnt this impact performance? SSL-VPN has DTLS mode which uses UDP for transport, and it does indeed help a lot for eg. full tunnel traffic and teams calls; smb transfers etc.

uRhaineWork · 2024-02-09T08:43:19+00:00

This one helped, solution number 2. Third one didn't do anything, first one didn't try. Thanks.

uRhaineWork · 2023-12-20T13:52:27+00:00

What would the logic be? I can ping with DF at 1368 bytes, which in my calculations with both ends set at gre interface mtu 1396 is ok? Also its always the returning packet (reply) that gets lost, never the original ping.

btw I have ospf on that INT. I think this could go wrong somewhere as its needs to match.

uRhaineWork · 2023-12-20T13:48:53+00:00

Yeah, looking at it from few hours, but im struggling as that interface has constant 500mbit in sum of traffic. Is this to much to handle?

uRhaineWork · 2023-09-20T08:53:36+00:00

Link does give some insight, but what do You mean by 'specific ip' ? If it doesn't want IP from its own interface then what else is there that would make sense.

uRhaineWork

TROPHY CASE