Skip to main content
myamazak
myamazak
New Member
April 4, 2016
Question

Connection failure at a particular route

  • April 4, 2016
  • 2 replies
  • 6647 views

Please help me, I have a problem.

 

I replaced the FW from RT.

The FW is FG-300D-BDL-US, and FW is HA cluster.

 

SV3 received files from SV2 by FTP.

First, No problem. But, after 4-5 hours, SV2 cannot send files to SV3.

SV3 received date from SV1, it is no problem.

I have no idea why SV2 cannot send files to SV3 after 4-5 hours.

 

What would be the cause?

 

(OLD)

SV1   | ----------------------- NW1                    | SV2            RT   |               | ----------------------- NW2       |      RT  <-- Replaced       | ----------------------- NW3   | SV3

(NEW) SV1   | ----------------------- NW1                    | SV2            RT   |               | ----------------------- NW2       |      FW x2  <-- New!       |  ----------------------- NW3   | SV3

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 4, 2016

    hi,

     

    this is very uncommon, to start with.

    What version of FortiOS are you running on the cluster?

    What does the log say (events, traffic), before and after the blocking?

    myamazak
    myamazakAuthor
    New Member
    April 4, 2016

    Thank you for replayed me. I'm very happy.

    Virsion is "v5.2.5,build0701 (GA)"

    Error is not output to the log. Blocking log is not exist too.

    But, after I replaced the RT from FW, it's no problem.

    While the error is out, the log is not output.

    I think, to connect again, and there is only a packet capture.

    However, because the cause is not known, it is very dangerous.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 4, 2016

    I've got no real idea what is happening.

    It might be related to the cluster. Do you have both ports (input and output) connected by switches? Can you fail over the cluster from master to slave without problems?

    If the error occurs again in 4-5 hours, I would disconnect the cluster and run only one FGT. This setup is so simple it just has to work.

    Consider upgrading to v5.2.7 but do take a backup of the config and read the Release Notes before. As the FGT is out of service right now this might be a good moment.

    myamazak
    myamazakAuthor
    New Member
    April 5, 2016

    I appreciate your answer sincerely.

    I tested to fail over the cluster when I repalced FW from RT.

    It's no problem, and the log is not output.

    The Firewall is coneeced by swtiches.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    April 5, 2016

    There might be an interaction between the HA traffic and the switches. Some switches cannot handle having 2 identical MAC addresses show up on 2 different ports (FGT1 and FGT2 have both identical MAC addresses on their ports if they form a cluster).

    To eliminate the switches, try to run just one FGT, disconnect the other. You don't need to change the config for this.

    myamazak
    myamazakAuthor
    New Member
    April 28, 2016

    I appreciate your answer sincerely.

    Yesterday, I've tried to replace the FW from RT again.

    First, it was not a problem, after about 2 hours, the phenomenon has been reproduced.

    I have to get the packet capture and debug log and checked it.

    It was not able to confirm the connection to SV3 from SV2.

    Packet of date from SV2 to SV3 was not exist.

    I checked FTP log data of SV3. SV2 cannot find SV3, so FTP session was remaining.

    I replaced the RT from FW, but SV2 cannot connect SV3 by FTP.

    After about 40 minutes, SV2 can connect SV3 by FTP again.

    Using RT, this phenomenon does not occur.

    It is a mystery.

    Terms & ConditionsAccessibility statement