This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
We just enabled IPv6 on the FortiMail and inbound and outbound mail works great. However, connecting via http or https is not working. It's almost like the bindings are not right.
I wish I could run a "netstat -na | grep :443.*LISTEN" but that doesn't seem to be an option. If I do an "execute telnettest fm.ipv6.example.com:25" (substitute my domain for example.com, obviously), it connects fine with a "Connected" message and an SMTP banner. If I do "execute telnettest fm.ipv6.example.com:443" it instantly rejects it with a "Connection refused" message.
I know it's not a firewall issue, because I'm connecting from the FortiMail to itself... the packet never leaves the box.
If I do the same commands with my IPv4 address it connects fine to https. Here's the output of my config:
config system interface
edit port1
set type physical
set mode static
set ip
set ip6
set allowaccess https ping ssh http
set mtu 1500
set speed auto
set status up
set mac-address 00:00:00:00:00:00
next
I'm guessing a reboot might fix it, but I don't really want to do that if I can avoid it. We're on version v5.3,build627,161208 (5.3.8 GA)
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I fixed it. It did need a "hiccup." I probably could have rebooted it, but instead I went and changed the http port to 81, then changed it back to 80. That fixed port 80. Then I went and changed https to port 444. Then I changed it back to 443, which fixed https. My guess is that changing the port number resets the listening daemon, which makes it re-bind to the addresses now present on the box--even the ones that weren't there when the daemon started previously. Viola.
Tested in lab v5.3.8 no issue accessing FML ipv6 http and https. Could you please double check your env?
Thanks,
Moyuan
Presumably "check your env" is cool-guy lingo for "check your environment" (kind of like when my 11-year-old says "what evs" instead of "whatever."
Not sure what that means anyway... of course I double-checked before I bothered to post this message.
I do know that fm.ipv6.example.com resolves to only the IPv6 name, and that running "execute telnettest fm.ipv6.example.com:80" gives me a connection failed whereas running "execute telnettest fm.ipv6.example.com:25" succeeds. I would have tested using just the IPv6 address rather than a hostname, but FML doesn't seem to support the bracket notation -- e.g., [2001:db8::1]:80
Thanks for mentioning that it is working okay on your v5.3.8. Did you happen to have rebooted between applying the IPv6 address and doing your test?
I fixed it. It did need a "hiccup." I probably could have rebooted it, but instead I went and changed the http port to 81, then changed it back to 80. That fixed port 80. Then I went and changed https to port 444. Then I changed it back to 443, which fixed https. My guess is that changing the port number resets the listening daemon, which makes it re-bind to the addresses now present on the box--even the ones that weren't there when the daemon started previously. Viola.
Good information
We just enabled IPv6 on the FortiMail and inbound and outbound mail works great. However, connecting via http or https is not working. It's almost like the bindings are not right.
I wish I could run a "netstat -na | grep :443.*LISTEN" but that doesn't seem to be an option. If I do an "execute telnettest fm.ipv6.example.com:25" (substitute my domain for example.com, obviously), it connects fine with a "Connected" message and an SMTP banner. If I do "execute telnettest fm.ipv6.example.com:443" it instantly rejects it with a "Connection refused" message.
I know it's not a firewall issue, because I'm connecting from the FortiMail to itself... the packet never leaves the box.
If I do the same commands with my IPv4 address it connects fine to https. Here's the output of my config:
config system interface
edit port1
set type physical
set mode static
set ip
I'm guessing a reboot might fix it, but I don't really want to do that if I can avoid it. We're on version v5.3,build627,161208 (5.3.8 GA)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.