Skip to main content
Kenundrum
Kenundrum
New Member
January 8, 2015
Question

Management ports trying to route traffic

  • January 8, 2015
  • 4 replies
  • 18590 views

i have a problem with a 500D management port. i have confirmed that it is set dedicated to management both in gui and cli but it appears to be trying to route traffic. the management port is in the same subnet as another interface and traffic from outside interfaces is routing to the internal subnet through the management port and being blocked instead of going to the proper interface.

For example-   traffic from port 10 should be going to port 1 but instead it is being directed at mgmt1 because in the routing table they both show up with a distance of 0 to that subnet and mgmt1 is alphabetically first. i have tried adding a static route with a different distance to push it up from 0 but that doesn't seem to do anything.

Shouldn't a dedicated management port do absolutely nothing other than receive admin access, download fortiguard updates, and send out logs, etc?

I imagine i could segregate the mgmt1 and 2 ports to their own VDOM and that would fix the problem, but that just feels like a band-aid. I am already using multiple VDOMs to separate transparent mode zones and routed mode interfaces and losing one to dedicated management ports would seem like a waste. The management ports are sitting in my single NAT/routed mode vdom along with a handful of other interfaces.

Am i missing something?

4 replies

emnoc
emnoc
New Member
January 8, 2015

 

Have you tried changing the mgmt int address as a temporary and see what happens?

 

ede_pfau
SuperUser
ede_pfau
SuperUser
January 8, 2015

IMHO using the same subnet as one on the other ports is a feature strictly reserved to the mgmt ports, and this should be guarded by a complete disability to route any traffic. So what you observe might very well be a bug.

I would open a ticket on this one, a) to try to get a solution and b) to make FTN aware of the problem.

 

Which version of FOS are you running?

Kenundrum
KenundrumAuthor
New Member
January 8, 2015

I'm using 5.2.1. I disabled the mgmt interface and traffic began routing properly. When i re-enabled the interface, it showed up below the port interface in the routing table and now traffic is routing properly.

i have opened a ticket with fortinet about this.

mmishra_FTNT
Staff
mmishra_FTNT
Staff
February 2, 2015

Hello,

Firstly having IP on two interfaces which are in same network ID is not suggested practice so it is strongly suggested to change IP either on MGMT or internal port

It is not allowed unless subnet over lap is enabled

And as for why it started working after you disabled and re-enabled is because if distance first and then priority are matching are matching for two routes to same destination with none of the routes specific with regards to subnet mask compared to other the timing of route in routing table plays a role

Route active for longer period of time is preferred in case distance and priority match and none is more specific than other 

s_timofeev
s_timofeev
New Member
June 14, 2016

Hello. Now i have the same problem with FG-300D.

How did you resolve it? What was solution from Fortinet in ticket?

Kenundrum
KenundrumAuthor
New Member
June 16, 2016

the solution from fortinet at the time was that it is "by design". What i did was put the management ports into their own VDOM with no other ports and set that to be the management VDOM. It takes care of all possible problems, it just makes it a little more annoying to manage yet another VDOM.

Terms & ConditionsAccessibility statement