Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

kennethadams
New Contributor

Created on ‎08-27-2017 04:57 AM

Cannot access vip suddenly

Setting up two 1000c firewalls in active-passive mode cluster,using static routes,and the software version is 5.2.10. I setup vips,manually update virus and ips, and vips can be accessed. But I cannot accessed my vips two times in 100days.I have to reboot the active mode firewall to access my vips. What may be the problem?

Labels:
923
0 Kudos
7 REPLIES 7
krahemat_FTNT
Staff
Staff

Created on ‎08-27-2017 03:24 PM

Kenneth,

 

Can you provide the actual policy configuration that contains the VIP reference in question also the VIP configuration.  I find it odd that you are not able to access the VIP 20 percent of the time.  Are these time specific or random?  Have you performed both a DIAG SNIFFER and DIAG DEBUG FLOW on the firewall to locate a cause?

 

Regards,

 

Karim

915
0 Kudos
kennethadams
New Contributor
In response to krahemat_FTNT

Created on ‎08-28-2017 12:06 AM

Thanks.I cannot access my vips two times with 100 days. First time i had done a diag sniffer(diagnose sniffer packet wan1 'port xxxx and host x.x.x.x' ),and got the syn packet, the vip did not send any packet back to source address,very strange. I am a newbie,just learn how to use diag debug flow.

Regards,

Kenneth

915
0 Kudos
krahemat_FTNT
Staff
Staff
In response to kennethadams

Created on ‎08-28-2017 04:40 AM

No worries, here to help.  So the sniffer sees the SYN packet arrive on the WAN1 interface and leave the LAN interface?

Lets do a DIAG DEBUG FLOW and see if you are hitting the correct policy and see if the firewall is doing something with it.  If you can provide the output that would be great.  Also have you checked if the destination address is sending anything back?

 

diag debug enable

diag debug flow filter addr

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 20

 

Karim

915
0 Kudos
kennethadams
New Contributor
In response to krahemat_FTNT

Created on ‎08-28-2017 05:57 AM

Maybe one or two month later, the problem will suddenly appear, I have remark the steps to record logs to analyze. I have several vip.But first time i encountered the problem,i found just vip on one ip could not accessed,vips on another ip just fine.Thanks

915
0 Kudos
TomMajo
New Contributor
In response to kennethadams

Created on ‎09-04-2017 09:18 AM

We've had VIP's on old firewalls that we were replacing cause interference even when the VIP or Policy on the old firewall were disabled.  We had to delete the old VIP entry on the old firewall to avoid the conflicts.  Not sure if this helps but I would look at a packet capture and verify the ARP request is getting the correct MAC address from the VIP on new firewall.  In our case when the ARP request was made from a host on the WAN side both the old firewall and new firewall would answer.  Unfortunately the Host would try to connect to the one that answered first and sometimes that was the old firewall.  Just a thought...

915
0 Kudos
PauloRaponi
New Contributor III

Created on ‎08-28-2017 05:01 AM

Are you using IPS profile or DoS Policy?

 

Regards,

Paulo Raponi

915
0 Kudos
kennethadams
New Contributor
In response to PauloRaponi

Created on ‎08-28-2017 05:51 AM

the vip policy is not enabled ips,and i have not setup any dos profile.

915
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.