Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

kennethadams
New Contributor

Cannot access vip suddenly

Setting up two 1000c firewalls in active-passive mode cluster,using static routes,and the software version is 5.2.10. I setup vips,manually update virus and ips, and vips can be accessed. But I cannot accessed my vips two times in 100days.I have to reboot the active mode firewall to access my vips. What may be the problem?

7 REPLIES 7
krahemat_FTNT

Kenneth,

 

Can you provide the actual policy configuration that contains the VIP reference in question also the VIP configuration.  I find it odd that you are not able to access the VIP 20 percent of the time.  Are these time specific or random?  Have you performed both a DIAG SNIFFER and DIAG DEBUG FLOW on the firewall to locate a cause?

 

Regards,

 

Karim

kennethadams

Thanks.I cannot access my vips two times with 100 days. First time i had done a diag sniffer(diagnose sniffer packet wan1 'port xxxx and host x.x.x.x' ),and got the syn packet, the vip did not send any packet back to source address,very strange. I am a newbie,just learn how to use diag debug flow.

Regards,

Kenneth

krahemat_FTNT

No worries, here to help.  So the sniffer sees the SYN packet arrive on the WAN1 interface and leave the LAN interface?

Lets do a DIAG DEBUG FLOW and see if you are hitting the correct policy and see if the firewall is doing something with it.  If you can provide the output that would be great.  Also have you checked if the destination address is sending anything back?

 

diag debug enable

diag debug flow filter addr

diag debug flow show console enable

diag debug flow show function-name enable

diag debug flow trace start 20

 

Karim

kennethadams

Maybe one or two month later, the problem will suddenly appear, I have remark the steps to record logs to analyze. I have several vip.But first time i encountered the problem,i found just vip on one ip could not accessed,vips on another ip just fine.Thanks

TomMajo

We've had VIP's on old firewalls that we were replacing cause interference even when the VIP or Policy on the old firewall were disabled.  We had to delete the old VIP entry on the old firewall to avoid the conflicts.  Not sure if this helps but I would look at a packet capture and verify the ARP request is getting the correct MAC address from the VIP on new firewall.  In our case when the ARP request was made from a host on the WAN side both the old firewall and new firewall would answer.  Unfortunately the Host would try to connect to the one that answered first and sometimes that was the old firewall.  Just a thought...

PauloRaponi
New Contributor III

Are you using IPS profile or DoS Policy?

 

Regards,

Paulo Raponi

kennethadams

the vip policy is not enabled ips,and i have not setup any dos profile.