Full Access Fortinet FCSS_NST_SE-7.6 Tutorials

FortiGate HA Troubleshooting and Synchronization Guides

Fortinet Admin Guide: HA Primary Role Retention, Cluster Break-up Due to Out-of-Sync Status

To determine the path the traffic will take, we must look at the FortiGate Route Lookup Precedence (Packet Processing Flow) and the specific configurations shown in the exhibit

Analyze the Routing Precedence:

In FortiOS, when a packet arrives (and is not part of an existing session), the FortiGate performs route lookups in a specific order:

Policy Routes: Configured under config router policy (or diagnose firewall proute list). These are checked first. If a packet matches the criteria (Source, Destination, Protocol, Incoming Interface), the Policy Route is used immediately, bypassing the standard routing table.

FIB (Forwarding Information Base): If no Policy Route matches, the device looks at the standard routing table (Static, Connected, Dynamic).

Analyze the Exhibit:

Policy Route Section: The output of diagnose firewall proute list shows an active policy route (id=1).

Destination: 100.65.0.0/255.255.255.0 (Matches the network in the question).

Action: It directs traffic to gateway 10.0.4.253 via oif=6(port4).

Routing Table Section: The output of get router info routing-table database shows multiple routes for 100.65.0.0/24 (Static, OSPF, BGP) all with distance 10. The Static route (S) is currently selected (*>) in the FIB.

Conclusion:

Because Policy Routes take precedence over the standard routing table (FIB), the FortiGate will forward the traffic using the instructions in Policy Route ID 1. It will not use the Static, BGP, or OSPF routes visible in the routing table for any traffic that matches the policy route's criteria (ingress port 3).

The output on FGT-01 confirms that the device is actively encapsulating traffic and sending it as ESP packets (Protocol 50) out of port1 towards the IP address 97.86.16.52. The logs show outgoing packets, which confirms FGT-01 is attempting to initiate or maintain the tunnel and that NAT-Traversal is not being used (as it uses raw ESP).

The output on FGT-02, however, displays (no packets captured). This is significant because the sniffer command diagnose sniffer packet any 'esp' captures traffic at the network interface level (ingress), regardless of whether a matching VPN configuration exists on the receiving unit. The absence of packets proves that the ESP traffic generated by FGT-01 is physically not arriving at FGT-02's interface.

This behavior is explained by two primary factors:

Option A (Blocking): An intermediate device, such as an ISP router or firewall, is dropping Protocol 50 traffic. Unlike UDP 500/4500, raw ESP is often blocked by default on many networks or legacy devices.

Option C (Routing/Misconfiguration): If the administrator configured the wrong remote peer IP on FGT-01, the packets are being routed to a different destination entirely. Consequently, they never arrive at FGT-02 to be captured.

Option B is incorrect because even without a configured VPN tunnel, the sniffer would still display the incoming ESP packets if they were reaching the interface. Option D is incorrect because FGT-01 is sending ESP, making 'esp' the correct filter.