Unable to telnet/ping from Fortigate

Forum|Forum|7 years ago
June 20, 2018
2 replies
50695 views

Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?

rwpatterson

New Member

Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)

Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.

TreuzAuthor

New Member

rwpatterson wrote:
Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)

Yes, the Fortigate is connected to a switch, all the devices (including my pc and badge reader) are connecter on the same switch in a single subnet.

rwpatterson wrote:
Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.

No, i don't have any IP pool configured.

I didn't had any problem in the past to let external devices access some resources on my local LAN.

I still don't explain why my PC can telnet to the device and the Fortigate cannot.

rwpatterson

New Member

If you trace route from the Fortigate, what do you get?

Hussien_Idris

Explorer

Hello,

well, going thru your case, i can see you are unable to telnet to that particular machine.. to end this confusion, kindly do the following:

- execute the following command to test reliability from FGT to your device:

# execute ping-options source "Your FGT LAN IP" [though source option wont be important since your device in same network]

# execute ping "Your device"

if there is reply. do the next step..

- execute the following debug flow commands on FGT:

#diagnose debug reset

#diagnose debug flow show console enable #diagnose debug flow show function-name enable #diagnose debug flow show iprope enable #diagnose debug flow filter dport 9999 #diagnose debug flow trace start 20 #diagnose debug enable

- once above commands entered, try to telnet your device using 9999 from outside and share the outputs..

don't forget to disable and reset debug using below: #diagnose debug disable #diagnose debug reset

TreuzAuthor

New Member

I changed cabling connection: now the device is attached straight to one of the FGT' switchport. I've also changhed ping-options as you suggested but nothing changed: I can telnet to the device from one of the LAN' client but telnet still doesnìt work from FGT.

This is the debug flow output:

Fortigate # diag debug reset
Fortigate # diag debug flow show function-name en
show function name
Fortigate # diag debug flow show iprope en
show trace messages about iprope
Fortigate # diag debug flow filter dport 9999
Fortigate # diag debug flow trace start 1000
Fortigate # diag debug en
Fortigate # 
id=20085 trace_id=46 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag , seq 2465178324, ack 0, win 64240"
id=20085 trace_id=46 func=init_ip_session_common line=5390 msg="allocate a new session-00d5abef"
id=20085 trace_id=46 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=46 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=46 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=46 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=46 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=46 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=46 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=46 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=46 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=46 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=46 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=46 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=46 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=46 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=46 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=46 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=46 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=46 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=46 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=47 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag , seq 2465178324, ack 0, win 64240"
id=20085 trace_id=47 func=init_ip_session_common line=5390 msg="allocate a new session-00d5ac17"
id=20085 trace_id=47 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=47 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=47 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=47 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=47 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=47 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=47 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=47 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=47 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=47 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=47 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=47 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=47 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=47 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=47 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=47 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=47 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=47 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=47 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=48 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag , seq 2465178324, ack 0, win 64240"
id=20085 trace_id=48 func=init_ip_session_common line=5390 msg="allocate a new session-00d5ac64"
id=20085 trace_id=48 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=48 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=48 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=48 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=48 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=48 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=48 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=48 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=48 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=48 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=48 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=48 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=48 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=48 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=48 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=48 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=48 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=48 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=48 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"

Thanks in advance.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded