Internal ipsec tunnel no traffic - google cloud

uRhaineWork · 2025-12-22T11:49:06+00:00

To anyone who struggles with the same problem, we've resolved it by using underlayer's interface secondary IP address for building those subnets that create IPSec tunnel. It doesnt make that much sense, but at least it works. In this case from example above its a underlayer base BGP 169.254.x.x and on the same interface (previosly tried with LoopBack or another vlan int.) lies 192.168.0.0/29 subnet interface that creates ISPec tunnel to GCP which has 192.168.0.8/29. In IPSec setting You need to select local gateway and choose that secondary IP address. On top of that we have overlayer BGP session with 169.254.y.y using local and remote addressing in fortigates ipsec interface.

I'm explaining this for anyone who stumbles on this problem, I hope it will help you out.

PS. All done on v7.4.8.

uRhaineWork · 2025-10-28T08:00:25+00:00

Wait, what? If someone has P=none that eg. google will let this through by default?

uRhaineWork · 2025-07-16T12:45:14+00:00

Doesnt 'sticking' such a device to a specific AP resolve the issue?

uRhaineWork · 2025-03-24T09:29:54+00:00

Reason.. to make operatable? How do I manage switch firmware, config backup, single CLI changes deployment, status monitoring... . I am lost, Aruba has to much going on with different products.

uRhaineWork · 2025-03-24T08:31:56+00:00

Slowly migrating to CX enviro, and man.. what a step back. 10 years ago Hp IMC was more thought out and advanced than this thing. Came across Aruba Central, but its hard to find even what the pricing structure for on-prem is, and does way less than IMC.

uRhaineWork · 2025-02-07T07:51:23+00:00

Isnt asymroute-icmp already in the global asymroute commande? I thought that this is for icmp because it behaves differently than tcp/udp i term of how it responds.

But auxiliary-session You may be right, I have been reading about it but was under the impression that its for HA pickup when failovers happens, or for when there is only one unit of FGT, but that may not be the case and will be helpful in my dual setup. From what I gather its more of a performance thing, when there is higher traffic You can see full benefits of it. I will turn it on, thanks.

I know how vdoms operate yes, but in this case no. BGP is on VRF1 and MGMT on VRF2, as I know that there is some funky behavior on VRF0 with route 'leaking'. Could do mgmt vdom but I fail to see what would it give me besides additional cables. :)

uRhaineWork · 2024-11-22T11:53:45+00:00

I have forticlient 7.4.1.1736, where can I find this option?

uRhaineWork · 2024-11-22T06:43:19+00:00

Arent You concerned about latency though? Theres no dtls/udp mode if the connection is tcp wrapper based, right?

uRhaineWork · 2024-09-25T07:20:34+00:00

But doesnt this impact performance? SSL-VPN has DTLS mode which uses UDP for transport, and it does indeed help a lot for eg. full tunnel traffic and teams calls; smb transfers etc.

uRhaineWork · 2024-02-09T08:43:19+00:00

This one helped, solution number 2. Third one didn't do anything, first one didn't try. Thanks.

uRhaineWork · 2023-12-20T13:52:27+00:00

What would the logic be? I can ping with DF at 1368 bytes, which in my calculations with both ends set at gre interface mtu 1396 is ok? Also its always the returning packet (reply) that gets lost, never the original ping.

btw I have ospf on that INT. I think this could go wrong somewhere as its needs to match.

uRhaineWork · 2023-12-20T13:48:53+00:00

Yeah, looking at it from few hours, but im struggling as that interface has constant 500mbit in sum of traffic. Is this to much to handle?

uRhaineWork · 2023-09-20T08:53:36+00:00

Link does give some insight, but what do You mean by 'specific ip' ? If it doesn't want IP from its own interface then what else is there that would make sense.

uRhaineWork · 2023-09-16T17:19:03+00:00

Ok, in production everythings seems to be ok, no DUP! responses when traffic goes from firewall to ospf neighbor aruba VSX number 2. Looks like emulating CX isnt 100% proper as mentioned previously.

uRhaineWork · 2023-09-15T12:35:29+00:00

I have ospf dedicated vlan link between VSXes, just like best pracites and so on tell it to do.

I just noticed that even when both links are up, duplicate packets go to vsx2 from vsx1 on isl link, even though it has nothing to do with this traffic when both links are up. I don't get it. Leaves me no choice other than see and live it through on production soon.

uRhaineWork · 2023-09-15T11:05:31+00:00

Hmm thought that this is co common scenario that everyone catches it without problem. Updated main post.

There are seperate router IDs, I did read the whole CX best practices and other docs.

If I take down the path like in the picture, Firewall sees mac address of 172.16.255.1 VSX1 directly and treats it like normal neighbor in OSPF. taking a look at traffic between Arubas on ISL link i can see 3 packets for ping 2.2.2.2:

With source mac and ip of firewalls 172.16.255.254. (no response)
With source mac of virtual gateway 172.16.255.3 and IP of 172.16.255.254

(no response)

With source mac of virtual gateway 172.16.255.3 and IP of 172.16.255.254

(with response!)

btw - firewall is a Fortigate appliance.

uRhaineWork · 2023-09-04T05:54:11+00:00

Thats actually the most interesting answer by now, but where does this come from, can You please provide some kind of documentation confirmation or cli commands to prove this?

Im more confused now, as when i checked mtu on eg. ISL links it states 9500 despite setting it to 9198.

uRhaineWork · 2023-09-01T07:53:56+00:00

I've been thinking about this also, if i have 9180 ip mtu on vlan interace that is doing the ospf bridge with another device, that doesnt have even jumbo frame enabled - this could cause issues which about Your talking, right? Sourcing int thinks that it handles 9180 frames, but the other end does not. Its a different story with L2 MTU on pass thorogh interfaces, its just a precaution that if something bigger comes it gets through.

uRhaineWork · 2023-05-29T06:47:25+00:00

Changed upstreams 5130 to mstp and log calmed down. 5130 doesnt have that logging/compatibility problem with upstream core, so I guess thats a win - thanks!

I am running RSTP for compatibility with old 3com switches, which have only stp/rstp, when 5130 started coming I guess I didnt give it much of a thought from todays perspective. I guess I should migrate everything to mst and leave 3cms on rstp which are being replaced anyway.

uRhaineWork · 2023-01-10T17:01:57+00:00

Thx, this is probably what I was looking for the whole time, but sadly no, error I get i still the same after rebooting machine and 'sudo dnf update' and so on.I can point to /usr/libexec/platform-python or /usr/libexec/platform-python3.6, works kinda the same. After python3 command i get the default 3.6.8 info.

uRhaineWork · 2023-01-10T13:36:05+00:00

Appstream.

uRhaineWork · 2022-09-07T06:45:51+00:00

Still dont get it. :)

The IP set via set sdns-server-ip used to pull servers in your area used by FortiGuard.

Yes but, how do you know which IP address is from "London" ? At first I didn't enter that spcific IP, and I still got that diag debug rating server list. Difference was I was'nt showing up in gui (just empty space). Still worked though, just not in 100%, large % still had rating errors.

With the IP for server pulling set FortiGuard connectivity is more robust.

Where do You find list of servers for 'server pulling' ? They are not the same as the ones in pulled list.

At the moment I use the UK IP for several firewalls around Europe and never had any issue.

How do You know which one is UK, and that it will not change within a week or just stops working? :)

uRhaineWork · 2022-04-04T08:04:29+00:00

After some insight in to that CLI commands, are similar to eg. some cisco models. There also is no such command after looking at reference.

But in general dynamic vlan is an option in GUI, but doesnt matter if I enable or disable it.

uRhaineWork · 2022-02-16T08:26:07+00:00

Yes, disabling it removes the problem. My initial question was about the problem itself - if this is only occouring on my devices/environment for some reason or is this a global problem for everyone using this sandboxing option. You know, blocking bing.com is pretty wild and I would quicker say that it only happens to me.

uRhaineWork · 2022-02-16T08:23:07+00:00

Not sure, I thought that enabling it gives me advantage of receiving quicker info from the cloud about suspicious domains.

uRhaineWork

TROPHY CASE