ONE DNAT NOT WORKING , ALTHOUGHT OTHER DNAT IS WORKING ON FORTIGATE

Forum|Forum|2 years ago
November 30, 2023
1 reply
3834 views

- ONE DEFAULT ROUTE FOR INTERNET WORKING ...

- 2 POLICY BASED ROUTES FOR EACH VM , ONE FOR FORWARD ONR FOR BACKWARD ...

- 1 POLICY FOR LAN TO WAN FOR INTERNET

- 2 POLICIES FOR EACH VM , ONE FOR FORWARD AND SECOND FOR BACKWARD

- VIP IS USED FOR EACH VM

- ONE SERVER IS SIP SERVER , WHICH IS WORKING FINE , INGOING AND OUTGOING

- ONE SERVER IS WEB SERVER , WHICH IS NOT ACCESSIBLE VIA VIP

WHAT COULD BE THE REASONS ? I CAN GIVE MORE DETAIL IF ASK

FortiGate

hbac

Staff

Hi @faizneer,

We need to run debug flow to see how the traffic flow. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

Below is an example of debug flow filter:

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 172.16.102.20 <<< Source IP address
di deb flow filter port 23 <<< Port number if applicable. If not, remove this line.
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

Regards,

Toshi_Esumi

SuperUser

In addition to the debug log above @hbac asked, please share the non-working VIP config in CLI under "config firewall vip". My guess is VIP itself is working to reach the VM but the returning traffic has different source IP or something like that.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded