As expected it happened again. echo: ipsec,debug,packet received a valid R-U-THERE, ACK sent. procedure. Why it's working is still a mystery, but to further illustrate what we did I post another image inline. fail, drop". Both ping and traceroute require particular ports to be open on firewalls to function. Let's go over your setup since your  presented mainly items and maybe  confusion in all of it ;). For this, some filters may be used to reduce the output; see the following example: The analysis of the output of this command  is further detailed in the related article below  (, FortiGate Firewall session list information. You would think that dup Ips on routers would give a consistent error, but it doesn't. fail, drop", Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table, Last Modified Date: 09-26-2019 Document ID: FD30038, [ PC1 ] ===   port1 [ FortiGate ] port2 ==== [ PC2], Step 1: Routing table check (in NAT mode). - Is the traffic exiting the FortiGate to the destination? Connect to the CLI either through telnet or through the CLI widget on the web-based manager dashboard. This causes the router to create a single SA with the remote peer. Ping and traceroute can also tell you if your computer or network device has access to a domain name server (DNS). Is there a way to save a X = 0 Stonecoil Serpent? The traceroute command varies slightly between operating systems. Our Mikrotik was using the 'require' level for the policies (the default, and seen in your screenshot). What spectral type of star has an absolute magnitude of exactly 0? Please refer to the related article given 1. We had a slightly similar problem with a VPN between a Mikrotik and a Sonicwall. Also, your output lists different domain names and IP addresses along your route. However the situation is greatly compounded that 5 other sites are working and that the client's firewall is under change control. When these errors are shown in the unbound log, my network (which is only pointing to pfsense's IP as DNS) cannot longer resolve google.com (although it can resolve other domain names). I know that you have checked this (just like I did when I had a similar, but completely different intermittent problem), but make sure that you don't have a duplicate IP address that router A is sharing. To clear all sessions corresponding to a filter: Troubleshooting Tool: Using the FortiOS built-in packet sniffer, Troubleshooting Tip: FortiGate session table information, Troubleshooting Tip : How to use the FortiGate sniffer and debug flow in presence of NP2 ports, Technical Note: Configuration best practice and troubleshooting tips for a FortiGate in Transparent mode, Technical Note: Details about FortiOS RPF (Reverse Path Forwarding), also called Anti-Spoofing, Troubleshooting Tip : debug flow messages "iprope_in_check() check failed, drop" - "Denied by forward policy check" - "reverse path check fail, drop", Troubleshooting Tip : Message msg="HWaddr-xx:xx:xx:xx:xx:xx is in black list, drop" in a "diagnose debug flow" output. site design / logo © 2020 Stack Exchange Inc; user contributions licensed under cc by-sa. Disable Router A, the router that does not want to receive packets from Fortigate any more. Mikrotik IPSec Tunnels not working after RouterOS upgrade, pfSense/strongSwan “deleting half open IKE_SA after timeout” - IPSec connection Android 4.4 to pfSense 2.2.1 fails, How to configure Fortigate 60D as L2PT/IPSEC client, Site to Site Ipsec VPN - Tunnel is Up but can't get to route packages from left to right. What is the term for the left hand part on piano and how do people create it? Both tools can use IP addresses or device domain names to determine why particular services, such as email or web browsing, may not work properly. I've also changhed ping-options as you suggested but nothing changed: I can telnet to the device from one of the LAN' client but telnet still doesnìt work from FGT. To stop all other debug, type "diag debug flow trace stop". Troubleshooting Tip : First steps to troubleshoot connectivity problems to or through a FortiGate with sniffer, debug flow, session list, routing table. - Is the ARP resolution correct for the targeted next-hop? S*      0.0.0.0/0 [10/0] via 192.168.183.254, port1                  [10/0] via 10.160.0.1, port2C       10.160.0.0/23 is directly connected, port2S       192.168.0.0/16 [10/0] via 192.168.183.254, port1C       192.168.182.0/23 is directly connected, port1, date=2009-01-26 time=05:44:07 devname=FGT60B3907500059 device_id=FGT60B3907500059 log_id=0100020001 type=event subtype=system pri=critical vd=root interface="internal" ip=10.160.0.78 status=down msg="Ping peer: 10.160.0.2 is down". Total Posts : 5782; Scores: 379; Reward points: 0; Joined: 2008/03/20 13:30:33; Location: AUSTIN TX AREA; Status: offline; Re: Unable to telnet/ping from Fortigate 2018/06/25 08:48:28 0 Again use the cmd cli "get router infor routing all" inspect the route table. How do you make a button that performs a specific command? To verify the routing table, use the CLI command "get router info routing-table all" as per the example below : Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area, S*      0.0.0.0/0 [10/0] via 192.168.183.254, port1, [0/50], C       10.0.0.0/24 is directly connected, VLAN_on_port1, C       10.160.0.0/23 is directly connected, port2, C       12.0.0.0/24 is directly connected, port1, C       172.16.78.0/24 is directly connected, VLAN_on_port3, C       192.168.182.0/23 is directly connected, port1, 2.1 - Verify that all appropriate services are opened on the interface that is being access (telnet, http...), set allowaccess ping https ssh http telnet, 2.2 - If the interface is accessed via another port of the FortiGate, a firewall policy must exist to allow this traffic. To perform a traceroute from the FortiGate. The second, third, and fourth columns display how much time each of the three packets takes to reach this stage of the route. Tracing route to fortinet.com [208.70.202.225], 1 <1 ms <1 ms <1 ms 172.20.120.2, 2 66 ms 24 ms 31 ms 209-87-254-xxx.storm.ca [209.87.254.221], 3 52 ms 22 ms 18 ms core-2-g0-0-1104.storm.ca [209.87.239.129], 4 43 ms 36 ms 27 ms core-3-g0-0-1185.storm.ca [209.87.239.222], 5 46 ms 21 ms 16 ms te3-x.1156.mpd01.cogentco.com [38.104.158.69], 6 25 ms 45 ms 53 ms te8-7.mpd01.cogentco.com [154.54.27.249], 7 89 ms 70 ms 36 ms te3-x.mpd01.cogentco.com [154.54.6.206], 8 55 ms 77 ms 58 ms sl-st30-chi-.sprintlink.net [144.232.9.69], 9 53 ms 58 ms 46 ms sl-0-3-3-x.sprintlink.net [144.232.19.181], 10 82 ms 90 ms 75 ms sl-x-12-0-1.sprintlink.net [144.232.20.61], 11 122 ms 123 ms 132 ms sl-0-x-0-3.sprintlink.net [144.232.18.150], 12 129 ms 119 ms 139 ms 144.232.20.7, 13 172 ms 164 ms 243 ms sl-321313-0.sprintlink.net [144.223.243.58], 14 99 ms 94 ms 93 ms 203.78.181.18, 15 108 ms 102 ms 89 ms 203.78.176.2, 16 98 ms 95 ms 97 ms 208.70.202.225. I've received various suggesions from IPsec experts and MikroTik themselves implying that the problem is at the remote side. The constant aggressive attempts at trying to re-establish the connection "holds" on to old SPI values. echo: ipsec,debug,packet sendto Information notify. It just happens randomly and from what I can tell only when endpoint A is Fortigate and endpoint B is MikroTik. How do I troubleshoot an IPsec tunnel (from a cellular router to a public server)? I may only change the client side: Make sure the IPSec responder has both passive=yes and Step 4: Debug flow. Thanks for contributing an answer to Server Fault! It sends three packets, and then increases the time to live (TTL) setting by one each time. By default, FortiGate units have ping enabled while broadcast-forward is disabled on the external interface. I speculate it's a timing problem whereby side A or side B tries to send information too aggressively making the negotiation of the information (e.g.