Skip to main content
bbartik
bbartik
Visitor III
May 12, 2025
Question

UDP port 730 unreachable

  • May 12, 2025
  • 2 replies
  • 745 views

I set up HA between 2 FortiGate VMs on vSphere. When I do a packet sniff on the heartbeat interface of FW1b I am getting ICMP unreachables for port 730 from FW1a. Both are configured identical. Any idea where to troubleshoot next?

 

FW1a:

bb-fortigate-1a # sho system interface port5 config system interface     edit "port5"         set ip 192.168.255.1 255.255.255.0         set allowaccess ping https ssh snmp http telnet         set type physical         set snmp-index 5     next end  bb-fortigate-1a # sho system ha config system ha     set group-id 1     set group-name "site1cluster"     set mode a-p     set hbdev "port5" 0      set session-pickup enable     set ha-mgmt-status enable     config ha-mgmt-interfaces         edit 1             set interface "port1"             set gateway 172.20.137.65         next     end     set override disable     set priority 200     set unicast-hb enable     set unicast-hb-peerip 192.168.255.2 end

 

FW1b:

bb-fortigate-1b # show system interface port5 config system interface     edit "port5"         set ip 192.168.255.2 255.255.255.0         set allowaccess ping https ssh snmp http telnet         set type physical         set snmp-index 5     next end  bb-fortigate-1b # sho system ha config system ha     set group-id 1     set group-name "site1cluster"     set mode a-p     set hbdev "port5" 0      set session-pickup enable     set ha-mgmt-status enable     config ha-mgmt-interfaces         edit 1             set interface "port1"             set gateway 172.20.137.65         next     end     set override disable     set priority 150     set unicast-hb enable     set unicast-hb-peerip 192.168.255.1 end

 

bb-fortigate-1b # diag sniffer packet port5 Using Original Sniffing Mode interfaces=[port5] filters=[none] 0.110524 192.168.255.2.730 -> 192.168.255.1.730: udp 451 0.110915 192.168.255.1 -> 192.168.255.2: icmp: 192.168.255.1 udp port 730 unreachable 0.312181 192.168.255.2.730 -> 192.168.255.1.730: udp 451 0.513945 192.168.255.2.730 -> 192.168.255.1.730: udp 451 0.715994 192.168.255.2.730 -> 192.168.255.1.730: udp 451 0.918014 192.168.255.2.730 -> 192.168.255.1.730: udp 451 1.119998 192.168.255.2.730 -> 192.168.255.1.730: udp 451 1.120424 192.168.255.1 -> 192.168.255.2: icmp: 192.168.255.1 udp port 730 unreachable 1.321997 192.168.255.2.730 -> 192.168.255.1.730: udp 451 1.523655 192.168.255.2.730 -> 192.168.255.1.730: udp 451 1.725652 192.168.255.2.730 -> 192.168.255.1.730: udp 451 1.927529 192.168.255.2.730 -> 192.168.255.1.730: udp 451

 

On FW1a I get this which is weird since FW1a is clearing responding to FW1b already:

 

bb-fortigate-1a # diag sniffer packet port5 Using Original Sniffing Mode interfaces=[port5] filters=[none] 1.012814 arp who-has 192.168.255.2 tell 192.168.255.1 2.139286 arp who-has 192.168.255.2 tell 192.168.255.1 3.172803 arp who-has 192.168.255.2 tell 192.168.255.1

 

2 replies

sjoshi
Staff
sjoshi
Staff
May 12, 2025

Hi,

 

Take packet capture on ether frames.

diagnose sniffer packet any 'ether proto 0x8890' 6 0 l

 

Refer:-

https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiGate-HA-Heartbeat-packet-Ethertypes/ta-p/197807

 

Thanks, Salon
bbartik
bbartikAuthor
Visitor III
May 12, 2025

It was an issue with my VM port groups. Got it figured out!

    Terms & ConditionsAccessibility statement