FGT1000D dropping sessions?

Question

Hi,

I segmented our network using FGT1000D (running 5.6) in HA act-pass mode. The FGT act as routers for all different vlans (all vlan interfaces are created under portA) and policies are in place to allow or not traffic from one vlan to the other. As of now, all vlans can talk to all vlans. No UTM in place also. The 2 FGTs are connected to 2 Brocade VDX switches in a VCS cluster using Brocade TwinAX cables on 10Gbps ports. These Brocades were doing the routing before moving to the Fortigates. I haven't seen errors on the interfaces.

Since the cutover, it seems that TCP sessions gets dropped between vlans. ICMP still works though. We had an issue this morning when a server in a vlan stopped passing traffic to another server in a different vlan. I was able to ping a server from the other and vice-versa. The session eventually came back up after a few minutes.

Another issue with clients connecting to a server. I moved the server to the same vlan as the clients and no more issues...

I'm really struggling on this one...any ideas?

EMES · Answer

You can run the below between the servers that are having problems. Just to see if something is stepping on the traffic.

diag debug enable diag debug flow filter add <PC1> or diag debug flow filter add <PC2> diag debug flow show console enable diag debug flow trace start 100 <== this will display 100 packets for this flow diag debug enable

Try looking at the interface to see any drops or errors

#diag hardware deviceinfo nic

or

#fnsysctl cat /proc/net/dev

You can also try the below link to see denied sessions in the session table, maybe you will see something there.

http://cookbook.fortinet.com/adding-denied-sessions-to-session-table/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded