Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

FortiGate VM IPSec Tunnel Up but No Traffic

0

I am brand new to AWS and still trying to fumble my way around... we have a FortiGate VM appliance in AWS handling IPSec tunnels for our offices to connect to servers in AWS. Every office is working great except for one. IPsec tunnel is set up correctly and both phase 1/2 are showing up but no traffic can pass. The FortiGate VM can ping the address of the on-premise Fortigate firewall but nothing else; the on-premise firewall can't reach anything in AWS. I've compared this tunnel to an office that is functioning correctly and it's identical (obviously bar the local subnets). I've also verified that there is a static route in the VPN for the VMs subnet to communicate with that remote subnet, and that it is added to the ACL and security group. There's just something about this specific subnet it doesn't like and I'm not familiar enough to figure it out. Any suggestions? Thanks!

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCSecurity GroupSecurity
Language
English
asked a year ago1.7K views
1 Answer
0

It sounds like you're experiencing a common issue with AWS Site-to-Site VPN connections where the IPSec tunnel is established but traffic isn't flowing. Here are some steps you can take to troubleshoot this issue:

  1. Verify routing configuration: Ensure that the route tables in your VPC are correctly configured to route traffic destined for the on-premises network through the FortiGate VM VPN connection and FortiGate VM has necessary policies to send the traffic to instances behind the VM. Also, check that the on-premises device has the correct static routes for the AWS VPC CIDR pointing to the VPN virtual tunnel interface.

  2. Check security groups and network ACLs: While you mentioned verifying the ACL and security group, double-check that they allow the necessary inbound and outbound traffic for the specific protocols and ports your applications need.

  3. Verify VPN connection configuration: Make sure that the VPN connection includes a static route for the on-premises network in your FortiGate VM. Also, confirm that the security associations and traffic selectors match on both the FortiGate VM and On-premise Device.

  4. Check FortiGate configuration: Review the IPsec debug logs on the FortiGate VM for any errors related to the connection failure. Ensure that the Phase 2 parameters on the On-premise FortiGate device match with the VPN's tunnel settings in FortiGate VM.

If after checking these items you're still unable to resolve the issue, you may need to engage AWS support or a networking specialist along with FortiGate Support team to help identify any subtle misconfigurations or compatibility issues.

Sources
Troubleshoot VPN routing issues | AWS re:Post
Troubleshoot IPsec/Phase2 failure | AWS re:Post

answered a year ago
AWS
SUPPORT ENGINEER
revised a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content