Skip to main content
rwilliames
rwilliames
New Member
March 2, 2015
Solved

Websites not rendering correctly behind 200D

  • March 2, 2015
  • 11 replies
  • 29252 views

Hi All,

I am having some issues with websites not rendering correctly behind a Fortigate 200D (5.0.7)

Basically the pages are screwed up with text over the top of other text and the layout of the page changing. I have attached an image of what I see for reference.  The only features that are turned on on the Fortigate are, WiFi and Switch Controller and Web Filter. I have tried disabling the web filter and this made no difference.

 

I'm hoping someone else has seen this behaviour and knows of a fix

 

Thanks

Rob

    Best answer by Dave_Hall

    Hi Robert.

     

    I have seen something like this when certain page elements (e.g. style sheets, scripting) haven't fully loaded into the browser.  In those cases the the fgt was allowing access to the main page but not to underlining page elements that were pulled from another site (which was blocked).

     

    I suggest in your Web Filter Profile, play around with the "Allow Websites When a Ratings Error Occurs" and uncheck "rate URLS by domain and IP Address".

     

    Even if you disabled the web filter on the Fortigate, the browser on the client computer may still be caching a copy of the page -- make sure you are clearing out the browser cache and/or forceing it to load a fresh copy of the page.

     

    Also to fully troubleshoot this issue, make sure you are testing 2 or 3 browsers (IE, Google, Chrome, etc.) on at least two different computers.  (I have also seen something similar to this happening on computers with a faulty NIC/switch/cable, etc.)

     

    Edit: just remembered I have also seen this happening on PPPoE connections where the MTU value wasn't set low enough.  But in those causes, it's usually the entire site wouldn't load.

     

    11 replies

    Dave_Hall
    Dave_HallAnswer
    New Member
    March 2, 2015

    Hi Robert.

     

    I have seen something like this when certain page elements (e.g. style sheets, scripting) haven't fully loaded into the browser.  In those cases the the fgt was allowing access to the main page but not to underlining page elements that were pulled from another site (which was blocked).

     

    I suggest in your Web Filter Profile, play around with the "Allow Websites When a Ratings Error Occurs" and uncheck "rate URLS by domain and IP Address".

     

    Even if you disabled the web filter on the Fortigate, the browser on the client computer may still be caching a copy of the page -- make sure you are clearing out the browser cache and/or forceing it to load a fresh copy of the page.

     

    Also to fully troubleshoot this issue, make sure you are testing 2 or 3 browsers (IE, Google, Chrome, etc.) on at least two different computers.  (I have also seen something similar to this happening on computers with a faulty NIC/switch/cable, etc.)

     

    Edit: just remembered I have also seen this happening on PPPoE connections where the MTU value wasn't set low enough.  But in those causes, it's usually the entire site wouldn't load.

     

    emnoc
    emnoc
    New Member
    March 2, 2015

    I agreed  100% and a 3rd party site testing tool will confirm page load times or failures

     

    i.e

     

    http://www.webpagetest.org

     

    ashukla_FTNT
    Staff
    ashukla_FTNT
    Staff
    March 2, 2015

    Looks like mtu issue.

    Can you confirm if you are able to ping from the test pc cmd:

    ping -f -l 1472 4.2.2.2

     

    If you get the response "packet needs to be fragmented but df bit is set" then your mtu is less that 1500.

    To fix the problem you can do the following (Most optimum option on the top)

    1) Check and find out where mtu is less and if possible fix it to max (can't do anything in case like dsl)

    2) set the lower tcp mss in policy

    3) If you want to use web filter and there is lesser mtu somewhere upstream then you have to reduce mtu on firewall wan link.

    rwilliames
    rwilliamesAuthor
    New Member
    March 2, 2015

    Hi All,

     

    I have tried what Dave suggested in his post (Allow Websites When a Ratings Error Occurs and uncheck rate URLS by domain and IP Address) and by unchecking allow websites when rating error occurs seems to have fixed the issue (rate URLS by domain and IP Address) was already unchecked. 

     

    Thanks for all your help

     

    Rob

    rwilliames
    rwilliamesAuthor
    New Member
    March 3, 2015

    Hi All,

    I think i may have spoke too soon, the issue has returned.

    The rendering issues are different in every web browser I have tried (IE, Chrome, Firefox).

     

    I can successfully ping 4.2.2.2 with 1472 bytes of data.

    Any more ideas would be welcome.

     

    Thanks

    Rob

     

     

    Dave_Hall
    Dave_Hall
    New Member
    March 3, 2015

    I didn't think unchecking "Allow Websites When a Ratings Error Occurs" would have resolved this issue -- usually it's the other way around (e.g. checking it) that resolves most issues (with websites pulling information from different sources).

     

    Perhaps it's best that we establish a base line or clarification so everyone is on the same page.  Is this the first time setting up this 200D or has it already been setup and you are trying web filtering now?  Does the problem happen on wifi connections too?

     

    What type of ISP equipment is the 200D connected to?  (xDSL modem/PPPoE connection?)  It may be possible that there could be a duplex/speed mismatch.  Perform a diag hardware deviceinfo nic <WAN interface> on the CLI and check for errors.  You can force the duplex/speed on any given interface like so:

     

    config system interface edit "<interface>" set speed {speed duplex} next exit

    (Press ? after set Speed for list of speed/duplex settings that interface supports.)

     

    If there are switch devices between your test machine and the Fortigate, try direct connecting your test machine to the the Fortigate.  Try direct connecting your test machine or a laptop to the ISP equipment.

     

    If everything appears fine and you have ruled out MTU as being the issue, review your configuration: make sure you have NAT enabled on your Internal->WAN firewall policies.  Confirm/verify the WAN and routing information is correct.  Look for improper subnet masks on address objects, wrong firewall object type (FQDN instead of IP address). etc.  If this issue seems to only effect pages on HTTPS, check/confirm the time/date/timezone is correct on the Fortigate and your test machine.

     

    Perhaps you should just upgrade the firmware on the 200D?

     

    Maybe run sniffer...

     

    diag debug reset diag debug flow filter addr <IP address> diag debug flow filter proto 6 diag debug flow filter port 80 diag debug flow show console enable diag debug flow trace start 1000 diag debug en

    rwilliames
    rwilliamesAuthor
    New Member
    March 4, 2015

    Hi All,

     

    The 200D has been setup for quite some time now, we have noticed site not rendering correctly in the past but haven't bothered with it as they were non work related sites. eg. ebay.com.au

    Now work related stuff is affected we need to sort it out. 

     

    The WAN interface of the 200D is connected to a Cisco 2950 which is connected to a MPLS. 

    The LAN interface connects to a HP Procurve 5412ZL switch which has LACP trunks to other 5412ZL switches throughout our office.  There are no errors appearing on diag hardware deviceinfo nic wan1:

     

    melfw01 # diag hardware deviceinfo nic wan1 Driver Name :Fortinet NP4Lite Driver Version :1.0.1 Admin :up Status :up Speed :1000 Duplex :Full Host Rx Pkts :4070794614 Host Rx Bytes :4325252747491 Host Tx Pkts :3305057242 Host Tx Bytes :509932902404 Rx Pkts :414342 Rx Bytes :237472037 Tx Pkts :375623 Tx Bytes :185371195 rx_buffer_len :2048 Hidden :No cmd_in_list : 0 promiscuous : 1

     

    I haven't tried connecting directly to the firewall with a test machine as of yet.

    NAT is not enabled between Internal -> WAN as it breaks networking with certain devices in our office, however in the past i have tried enabling it and it made no difference. WAN info and routing is Correct and address objects are good to.

     

    Thanks

    Rob

    emnoc
    emnoc
    New Member
    March 4, 2015

    I don't think this is a lower layer issues. Since you say it's websites, have you any trending?

     

     

    i.e

     

    > it's http or https

    > it's repeatable

    > it's only during certain time

    > is it window linux or macosx or all types and devices

     

    Next, do you have any IPS sensors ?, have the MPLS provider made changes > Do you have any ping lost?

     

     

     

    rwilliames
    rwilliamesAuthor
    New Member
    March 4, 2015

    seems to be HTTP as I haven't found a HTTPS site that doesn't render poorly.

    It seemed to come good yesterday morning then it went back to the way it was in the afternoon.

     

    We aren't using any IPS sensors and Network provider hasn't made any changes, no ping lost.

     

    I have just tested on WiFi which is using WPA2 Enterprise Authentication and it seems to render correctly.

    The only difference between the two networks policies is IP Address assignment, and the Policy for WiFi => WAN1 has NAT enabled.

     

    Thanks

    Dave_Hall
    Dave_Hall
    New Member
    March 4, 2015

    Maybe try Wget -- it has some nice features, including download entire pages (including page elements) and has some reporting features that should help you.

     

    emnoc
    emnoc
    New Member
    March 4, 2015

    Okay that's good now you can look at some of the l4 statistics and determine if anything is abnormal

     

    plos

    server/client  side TCP/RST

    etc.....

     

    We had a problem where some stuck a l2 transparent inspection device that was like a IPS/firewall that was causing  traffic interruptions, it was only effecting  unsecure traffic like HTTP tcp/80 we even move a few server around on to different ports and that's how we knew it a passive traffic inspection device.

     

    I would use webpage test to look at load times for various objects and objects that fails imho

     

     

    Ken

     

    Michael_Schantz
    Michael_Schantz
    New Member
    December 17, 2015

    I am having the same exact problem. Websites like ebay.com or msn.com do not load or if they load they do not load images. Rebooting my 300D fixes the problem only for a short time. 

    Michael_Schantz
    Michael_Schantz
    New Member
    December 18, 2015

    Forinet support figured out my problem.  It was one of my static routes that was reconfigured. Had a rule 172.0.0.0 to my gateway, when it should of been 172.16.0.0  Thanks George at Fortinet for spotting my problem.

    rwilliames
    rwilliamesAuthor
    New Member
    August 25, 2016

    Our issue was resolved by fortinet support, turned out one of our policies had web filtering enabled although it was disabled in the GUI, it was still showing up in the CLI.

     

    After disabling this everything seemed to just work.

    Rob

    Show more replies
    Terms & ConditionsAccessibility statement