This article explains why ‘rcvdpckt=0’ is visible in FortiGate and accepts session timeout on FortiSASE over a SPA Tunnel.
Scope
FortiSASE.
Solution
Whenever a ping is happening from a device connected to FortiSASE to a destination over a SPA tunnel, the below logs show ‘rcvdpckt=0’ and communication is not working between source and destination.
Check Private access logs on FortiSASE and it will be allowed by the policy. The logs from FortiSASE show an accept-session timeout.
- Check the sniffer from FortiGate and there will be no reply from the destination.
- If the NAT is enabled in the FortiGate Policy, the traffic starts to be pingable and both rcvd and transmits bytes are there.
Solution:
This issue occurs because there is a downstream device connected to FortiGate and the reverse route is not configured for tunnel IP: 10.x.x.x. Configure a reverse route from downstream towards the tunnel IP and traffic should work. Disable the NAT on the policy after doing that.