Skip to main content
tavo
tavo
New Member
March 19, 2021
Question

Fortigate 60e fails connecting through PPPoE

  • March 19, 2021
  • 1 reply
  • 9391 views

Hi!

 

I have a Fortigate 60e v6.4.1 build1637 (GA) that I want to use for practicing for my NSE4 exam.

 

I'm trying to connect it to Internet at home.

 

I have my ISP's ONT with port 1 in bridge mode. And actually, I use a TP-Link Archer C1200 as domestic router.

 

So I configure Fortigate's WAN interface in PPPoE mode, with user and password. But it fails every time.

 

I have tried to debbug the interface and this is what I have obtained:

 

PPP send: LCP Configure_Request id(1) len(14) [Maximum_Received_Unit 1492] [Magic_Number 4B598E75] PPP recv: LCP Configure_Request id(1) len(18) [Maximum_Received_Unit 1492] [Authentication_Protocol PAP] [Magic_Number 05458D59] PPP send: LCP Configure_Ack id(1) len(18) [Maximum_Received_Unit 1492] [Authentication_Protocol PAP] [Magic_Number 05458D59] PPP recv: LCP Configure_Ack id(1) len(14) [Maximum_Received_Unit 1492] [Magic_Number 4B598E75] PPP send: LCP Echo_Request id(0) len(8) [Magic_Number 4b598e75] [style="background-color: #ffff00;"]PPP send: PAP Authentication_Request id(1) peerid(len=8, *MyUser*)[/style] PPP recv: LCP Echo_Reply id(0) len(8) [Magic_Number 05458d59] [style="background-color: #ffff00;"]PPP recv: PAP Authentication_Nak id(1) packet_len=27, message_len=22[/style] PPP send: LCP Termiate_Request id(2) len(44) PPP recv: LCP Termiate_Request id(2) len(4) PPP send: LCP Terminate_Ack id(2) len(4) PPP recv: LCP Terminate_Ack id(2) len(4)

 

I have been reading here: https://www.freesoft.org/CIE/RFC/1334/7.htm

 

It says that Fortigate should be sending "Peer-ID Length" and "Peer-Id". But also "Passwd-Length" and "Password".

 

In first yellow line I see:

[ul]
  • Peer-ID Length: 8
  • Peer-Id: *MyUser*[/ul]

    But I don't see "Passwd-Length" nor "Password". I don't know if it is sending it but the debbuging is not showing it. Or if it is not sending the password at all.

     

    So, in the second yellow line it receives an Authetication_Nak. And, reading here: https://www.freesoft.org/CIE/RFC/1334/8.htm I see:

     

    If the Peer-ID/Password pair received in a Authenticate-Request is not recognizable or acceptable, then the authenticator MUST transmit a PAP packet with the Code field set to 3 (Authenticate- Nak), and SHOULD take action to terminate the link.

     

    So, I know that, in some way, the Forti is sending wrong credentials to my ISP. Because I change the patchcord to the TP-Link and it connects in a few seconds. And the TP-Link didn't need any special setting. Out-of-the-box, just user and password.

     

    Questions: what can I do to see what the Fortigate is sending to the ISP? If it is or not sending the password. And, if it is sending the password, how is it sending it.

     

    And, of course, what can I do to make it work?

     

    This is the config of my wan interface. I changed the MTU to 1480 because, out-of-the-box, the TP-Link uses that value and it works fine:

     

    FortiGate-60E (wan2) # show full-configuration config system interface edit "wan2" set vdom "root" set vrf 0 set fortilink disable set mode pppoe set distance 5 set priority 0 set dhcp-relay-service disable set allowaccess ping fgfm set fail-detect disable set arpforward enable set broadcast-forward disable set bfd global set l2forward disable set icmp-send-redirect enable set icmp-accept-redirect enable set vlanforward disable set stpforward disable set ips-sniffer-mode disable set ident-accept disable set ipmac disable set subst disable set substitute-dst-mac 00:00:00:00:00:00 set status up set netbios-forward disable set wins-ip 0.0.0.0 set type physical set netflow-sampler disable set sflow-sampler disable set src-check enable set sample-rate 2000 set polling-interval 20 set sample-direction both set explicit-web-proxy disable set explicit-ftp-proxy disable set proxy-captive-portal disable set tcp-mss 0 set inbandwidth 0 set outbandwidth 0 set egress-shaping-profile '' set ingress-shaping-profile '' set disconnect-threshold 0 set weight 0 set external disable set description '' set alias '' set l2tp-client disable set security-mode none set device-identification disable set lldp-reception vdom set lldp-transmission vdom set estimated-upstream-bandwidth 0 set estimated-downstream-bandwidth 0 set measured-upstream-bandwidth 0 set measured-downstream-bandwidth 0 set bandwidth-measure-time 0 set monitor-bandwidth disable set vrrp-virtual-mac disable set role wan set snmp-index 2 set preserve-session-route disable set auto-auth-extension-device disable set ap-discover enable set switch-controller-mgmt-vlan 4094 set switch-controller-igmp-snooping-proxy disable set switch-controller-igmp-snooping-fast-leave disable config ipv6 set ip6-mode static set nd-mode basic set ip6-address ::/0 unset ip6-allowaccess set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-hop-limit 0 set dhcp6-prefix-delegation disable set dhcp6-information-request disable set vrrp-virtual-mac6 disable set vrip6_link_local :: set ip6-send-adv disable set autoconf disable set dhcp6-relay-service disable end set ipunnumbered 0.0.0.0 set username "*MyUser*" set password ENC *password* set idle-timeout 0 set disc-retry-timeout 1 set padt-retry-timeout 1 set service-name '' set ac-name '' set lcp-echo-interval 5 set lcp-max-echo-fails 3 set defaultgw enable set dns-server-override enable set auth-type auto set speed auto set mtu-override enable set mtu 1480 set wccp disable set drop-overlapped-fragment disable set drop-fragment disable next end

     

    Thanks in advance.

    • 1 reply

    andrewbailey
    andrewbailey
    New Member
    March 19, 2021

    Hi tavo,

     

    There is no issue with PPPoE on the Fortigate or the 60E particuarly. It works very well- I use it myself without any issues.

     

    So, it sounds like you have a config issue.

     

    Have a search of the Forums- it's a topic that has been discussed before quite a bit. For example the following link covers a previous dicussion:-

     

    https://forum.fortinet.com/FindPost/190356

     

    In that thread you can I see I directed the op towards another post where I described my configuration.

     

    Have a look through that- it should help sort you out.

     

    Good luck with the NSE4 exam by the way.

     

    Kind Regards,

     

     

    Andy.

    tavo
    tavoAuthor
    New Member
    March 23, 2021

    Hi!

     

    Thanks for the info.

     

    I configured a pppoe interface that works over the WAN2 physical interface (right now the cable is not connected to WAN2 because I need Internet)

     

     

     

     

     

    But it doesn't work.

     

    The debug shows this cycle again and again:

     

    PPP send: LCP Configure_Request id(1) len(14) [Maximum_Received_Unit 1492] [Magic_Number F7797A4A] PPP recv: LCP Configure_Request id(1) len(18) [Maximum_Received_Unit 1492] [Authentication_Protocol PAP] [Magic_Number 6D013469] PPP send: LCP Configure_Ack id(1) len(18) [Maximum_Received_Unit 1492] [Authentication_Protocol PAP] [Magic_Number 6D013469] PPP recv: LCP Configure_Ack id(1) len(14) [Maximum_Received_Unit 1492] [Magic_Number F7797A4A] PPP send: LCP Echo_Request id(0) len(8) [Magic_Number f7797a4a] PPP send: PAP Authentication_Request id(1) peerid(len=8, *MyUser*) PPP recv: LCP Echo_Reply id(0) len(8) [Magic_Number 6d013469] PPP recv: PAP Authentication_Nak id(1) packet_len=27, message_len=22 Remote message: Authentication Failure PAP authentication failed PPP send: LCP Termiate_Request id(2) len(44) PPP recv: LCP Termiate_Request id(2) len(4) PPP send: LCP Terminate_Ack id(2) len(4) PPP recv: LCP Terminate_Ack id(2) len(4) Connection terminated. child_exit()-640: A child process exits pppoed_main()-850: PID 5332 exit pppoed_main()-856: Interface pppoe1 exit pppoed_main()-781: Start PPPoE interface pppoe1 pppoed_main()-784: PID of pppoe1 is 5333 parameters passed to pppd: pppd 0 pppoed pppoe1 unit 1 ifname pppoe1  nopersist noipdefault noauth defaultroute default-asyncmap hide-password nodetach mtu 1492 mru 1492 noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp user *MyUser* lcp-echo-interval 5 lcp-echo-failure 3 sync plugin /bin/pppoe.so     pppoe_retry_time 1 pppoe_padt_time 1 pppoe_srv_name  pppoe_ac_name  pppoe_hostuniq 5612408 pppoe_sock2parent 12 wan2 ipunnumbered 0.0.0.0 idle 0 unnumbered-negotiate enable using channel 9 Using interface pppoe1 Connect: pppoe1 <--> wan2 Parent: pppoed

     

    I still don't know what could be the right setup. But I'm sure that user and password are right.

     

    Next, the config for pppoe1 and WAN2 interfaces:

     

    FortiGate-60E (pppoe1) # get name                : pppoe1 vdom                : root vrf                 : 0 cli-conn-status     : 0 mode                : pppoe distance            : 5 priority            : 0 dhcp-relay-service  : disable ip                  : 0.0.0.0 0.0.0.0 allowaccess         : arpforward          : enable broadcast-forward   : disable bfd                 : global icmp-send-redirect  : enable icmp-accept-redirect: enable ips-sniffer-mode    : disable ident-accept        : disable ipmac               : disable status              : up netbios-forward     : disable wins-ip             : 0.0.0.0 type                : tunnel netflow-sampler     : disable sflow-sampler       : disable src-check           : enable sample-rate         : 2000 polling-interval    : 20 sample-direction    : both explicit-web-proxy  : disable explicit-ftp-proxy  : disable proxy-captive-portal: disable tcp-mss             : 0 inbandwidth         : 0 outbandwidth        : 0 egress-shaping-profile: ingress-shaping-profile: weight              : 0 external            : disable devindex            : 22 description         : alias               : l2tp-client         : disable security-mode       : none estimated-upstream-bandwidth: 10000 estimated-downstream-bandwidth: 50000 measured-upstream-bandwidth: 0 measured-downstream-bandwidth: 0 bandwidth-measure-time: monitor-bandwidth   : disable role                : wan snmp-index          : 8 preserve-session-route: disable auto-auth-extension-device: disable ap-discover         : enable switch-controller-igmp-snooping-proxy: disable switch-controller-igmp-snooping-fast-leave: disable swc-vlan            : 0 tagging: detected-peer-mtu   : 0 defaultgw           : enable PPPOE Gateway       : 0.0.0.0 dns-server-override : enable Acquired DNS1       : 0.0.0.0 Acquired DNS2       : 0.0.0.0 wccp                : disable interface           : wan2

     

     

     

    FortiGate-60E (wan2) # get name                : wan2 vdom                : root vrf                 : 0 cli-conn-status     : 3 fortilink           : disable mode                : static dhcp-relay-service  : disable ip                  : 0.0.0.0 0.0.0.0 allowaccess         : ping fgfm fail-detect         : disable pptp-client         : disable arpforward          : enable broadcast-forward   : disable bfd                 : global l2forward           : disable icmp-send-redirect  : enable icmp-accept-redirect: enable vlanforward         : disable stpforward          : disable ips-sniffer-mode    : disable ident-accept        : disable ipmac               : disable subst               : disable substitute-dst-mac  : 00:00:00:00:00:00 status              : up netbios-forward     : disable wins-ip             : 0.0.0.0 type                : physical netflow-sampler     : disable sflow-sampler       : disable src-check           : enable sample-rate         : 2000 polling-interval    : 20 sample-direction    : both explicit-web-proxy  : disable explicit-ftp-proxy  : disable proxy-captive-portal: disable tcp-mss             : 0 inbandwidth         : 0 outbandwidth        : 0 egress-shaping-profile: ingress-shaping-profile: disconnect-threshold: 0 weight              : 0 external            : disable devindex            : 6 description         : alias               : l2tp-client         : disable security-mode       : none device-identification: disable lldp-reception      : vdom lldp-transmission   : vdom estimated-upstream-bandwidth: 0 estimated-downstream-bandwidth: 0 measured-upstream-bandwidth: 0 measured-downstream-bandwidth: 0 bandwidth-measure-time: monitor-bandwidth   : disable vrrp-virtual-mac    : disable vrrp: role                : wan snmp-index          : 2 secondary-IP        : disable preserve-session-route: disable auto-auth-extension-device: disable ap-discover         : enable ip-managed-by-fortiipam: disable switch-controller-mgmt-vlan: 4094 switch-controller-igmp-snooping-proxy: disable switch-controller-igmp-snooping-fast-leave: disable swc-vlan            : 0 swc-first-create    : 0 tagging: ipv6:         ip6-mode            : static     nd-mode             : basic     ip6-address         : ::/0     ip6-allowaccess     :     icmp6-send-redirect : enable     ip6-reachable-time  : 0     ip6-retrans-time    : 0     ip6-hop-limit       : 0     dhcp6-prefix-delegation: disable delegated-prefix            : ::/0 preferred-life-time         : 0 valid-life-time     : 0 delegated-DNS1      : :: delegated-DNS2      : :: delegated-domain          :     dhcp6-information-request: disable     vrrp-virtual-mac6   : disable     vrip6_link_local    : ::     ip6-send-adv        : disable     autoconf            : disable     dhcp6-relay-service : disable macaddr             : e8:1c:ba:be:da:ef speed               : auto mtu-override        : disable wccp                : disable drop-overlapped-fragment: disable drop-fragment       : disable

     

     

     

    Any help will be welcome.

    tavo
    tavoAuthor
    New Member
    March 24, 2021

    Well... definitely there must be something wrong with Fortigates and the way the try to connect using PPPoE. I use plural because I tested with a Fortigate 200D and it behaves the same. It fails every time just like the FGT 60e. I don't know what it is. But cheap TP-Link's can connect  with PPPoE out of the box just entering username and password. And two Fortigates can't connect. Authentication fail once and again. The FGT 60e is running version 6.4.5. The FGT 200d is running 6.0.9 (the last version that supports that hardware). Again, any help or clue wil be welcome.

    Terms & ConditionsAccessibility statement