Skip to main content
Sanjay1
Sanjay1
New Member
May 15, 2017
Question

Only a Few Websites are Reachable Over the Internet

  • May 15, 2017
  • 1 reply
  • 3712 views

Hi,

 

We've Fortigate 3950B in production, in which 5 VDOMs are created. Behind the root VDOM we've more than 75 different locations (subnets, it's a huge network, 10.0.0.0/8). These locations are all government bodies. In one of the most critical locations we're facing the issue, users are able to open google.com, gmail.com, youtube but other than these (and a few more) all other websites (yahoo, wikipedia, news websites, etc) are unreachable. Out of more than 75 locations on the same port, this is happening with only one location which has 2 subnets (10.23.64.0/24 & 10.25.100.0/24). Currently we've not applied any utm features for troubleshooting purpose, but issue persists. msn.com is opening but not completely. It's been 6 days since a TAC case was raised with highest priority, we collected logs, at first we found that the SYN packets are getting out from firewall but there is no reply but according to latest logs we're not receiving SYN from source side. However, if we route the same traffic through ASA everything works fine. We've also tried directly connecting a laptop to the firewall interface after configuring the IPs of 10.23.64.0/24 subnet on firewall interface & laptop and everything works.

 

Now we have no clue what's blocking the traffic. If you guys have worked on any such case kindly provide your input. Any idea will be helpful.

 

Thanks

Sanjay

1 reply

MikePruett
MikePruett
New Member
May 16, 2017

So if a laptop is plugged directly into the Gate VDOM that is experiencing issues it works fine?

If so, is there anything downstream that could be causing issue? External IPS or something?

Sanjay1
Sanjay1Author
New Member
May 16, 2017

Yes, it works fine when a system with mentioned subnet's IP is configured and connected directly on another interface of the firewall. In normal scenario, the traffic for segments 10.23.64.0/24 & 10.25.100.0/24 is received on interface 1 of Fortigate along with several other segments. We configured & connected our laptop directly on interface 2 of Fortigate which is generally not in use.

 

We've also checked the policy of IPS, there is an IPS installed at customer location. The traffic is perfectly reaching internet through the same IPS when CISCO ASA is used instead of Fortigate, still we bypassed few IPs through IPS and even then it didn't work.

 

Thanks,

Sanjay 

Terms & ConditionsAccessibility statement