Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

MattGlos
New Contributor II

Created on ‎05-30-2017 10:44 AM

IPv6 working for smtp; not for http/https

We just enabled IPv6 on the FortiMail and inbound and outbound mail works great. However, connecting via http or https is not working. It's almost like the bindings are not right.

I wish I could run a "netstat -na | grep :443.*LISTEN" but that doesn't seem to be an option. If I do an "execute telnettest fm.ipv6.example.com:25" (substitute my domain for example.com, obviously), it connects fine with a "Connected" message and an SMTP banner. If I do "execute telnettest fm.ipv6.example.com:443" it instantly rejects it with a "Connection refused" message.

I know it's not a firewall issue, because I'm connecting from the FortiMail to itself... the packet never leaves the box.

If I do the same commands with my IPv4 address it connects fine to https. Here's the output of my config:

config system interface
edit port1
set type physical
set mode static
set ip 
set ip6 
set allowaccess https ping ssh http
set mtu 1500
set speed auto
set status up
set mac-address 00:00:00:00:00:00
next

I'm guessing a reboot might fix it, but I don't really want to do that if I can avoid it. We're on version v5.3,build627,161208 (5.3.8 GA)

Labels:
437
0 Kudos
1 Solution
MattGlos
New Contributor II

Created on ‎05-30-2017 06:06 PM

I fixed it. It did need a "hiccup." I probably could have rebooted it, but instead I went and changed the http port to 81, then changed it back to 80. That fixed port 80. Then I went and changed https to port 444. Then I changed it back to 443, which fixed https. My guess is that changing the port number resets the listening daemon, which makes it re-bind to the addresses now present on the box--even the ones that weren't there when the daemon started previously. Viola.

View solution in original post

426
0 Kudos
5 REPLIES 5
MoyuChen
Staff
Staff

Created on ‎05-30-2017 11:14 AM

Tested in lab v5.3.8 no issue accessing FML ipv6 http and https. Could you please double check your env?

 

Thanks,

Moyuan

426
0 Kudos
MattGlos
New Contributor II
In response to MoyuChen

Created on ‎05-30-2017 05:52 PM

Presumably "check your env" is cool-guy lingo for "check your environment" (kind of like when my 11-year-old says "what evs" instead of "whatever."

Not sure what that means anyway... of course I double-checked before I bothered to post this message.

I do know that fm.ipv6.example.com resolves to only the IPv6 name, and that running "execute telnettest fm.ipv6.example.com:80" gives me a connection failed whereas running "execute telnettest fm.ipv6.example.com:25" succeeds. I would have tested using just the IPv6 address rather than a hostname, but FML doesn't seem to support the bracket notation -- e.g., [2001:db8::1]:80

Thanks for mentioning that it is working okay on your v5.3.8. Did you happen to have rebooted between applying the IPv6 address and doing your test?

426
0 Kudos
MattGlos
New Contributor II

Created on ‎05-30-2017 06:06 PM

I fixed it. It did need a "hiccup." I probably could have rebooted it, but instead I went and changed the http port to 81, then changed it back to 80. That fixed port 80. Then I went and changed https to port 444. Then I changed it back to 443, which fixed https. My guess is that changing the port number resets the listening daemon, which makes it re-bind to the addresses now present on the box--even the ones that weren't there when the daemon started previously. Viola.

427
0 Kudos
FahaKhan
New Contributor
In response to MattGlos

Created on ‎05-30-2017 06:53 PM

Good information

426
0 Kudos
NawiBun
New Contributor

Created on ‎10-29-2019 05:05 PM

Yes you are right.
I am asking Fortigate presenter here in Indonesia yesterday.
To make consistency between product.
For example grep only appear in Fortigate but not in Fortimail and any other product.
This is problem when I want to search certain word in config
Hope fixed in later firmware

http://goo.gl/lhQjmU
http://nbctcp.wordpress.com
-------------------------------------------
Original Message:
Sent: 05-30-2017 13:44
From: Matt Glosson
Subject: IPv6 working for smtp; not for http/https

We just enabled IPv6 on the FortiMail and inbound and outbound mail works great. However, connecting via http or https is not working. It's almost like the bindings are not right.

I wish I could run a "netstat -na | grep :443.*LISTEN" but that doesn't seem to be an option. If I do an "execute telnettest fm.ipv6.example.com:25" (substitute my domain for example.com, obviously), it connects fine with a "Connected" message and an SMTP banner. If I do "execute telnettest fm.ipv6.example.com:443" it instantly rejects it with a "Connection refused" message.

I know it's not a firewall issue, because I'm connecting from the FortiMail to itself... the packet never leaves the box.

If I do the same commands with my IPv4 address it connects fine to https. Here's the output of my config:

config system interface
edit port1
set type physical
set mode static
set ip 

I'm guessing a reboot might fix it, but I don't really want to do that if I can avoid it. We're on version v5.3,build627,161208 (5.3.8 GA)

http://goo.gl/lhQjmU http://nbctcp.wordpress.com
http://goo.gl/lhQjmU http://nbctcp.wordpress.com
426
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.