Created on 10-28-2022 07:51 AM Edited on 10-28-2022 07:52 AM By Jean-Philippe_P
Description |
This article describes how to debug the 'Unable to ping or ssh FortiGate-FortiExtender WAN IP via FortiExtender-211E lt1 interface' issue. |
Scope |
FortiExtender-211E v4.2-build274 managed by FortiGate-60E-DSLJ v6.2.5 build1142. |
Solution |
User Impact: User cannot ping or SSH FortiGate-FortiExtender WAN IP (10.255.224.127) via FortiExtender-211E lt1 interface from host 10.252.16.221.
Debug (possible cause and fix):
1) Server Host (10.252.16.221) is trying to ping/SSH FortiGate-FortiExtender WAN IP (10.255.224.127) via FortiExtender-211E lt1 interface.
2) Server (10.252.16.221) is at the HQ site and FortiGate and FortiExtender are at the branch site.
3) On affected FortiGate (FortiExtender) - FortiGate sends out ICMP Request and ARP request, but there is no ICMP Reply and ARP response:
FortiGate:
# diagnose sniffer packet fex 'host 10.252.16.221' interfaces=[fex]
1.336739 arp who-has 10.252.16.221 tell 10.255.224.127
FortiExtender:
# execute tcpdump -nn -i lte1 'host 10.252.16.221' 09:43:19.187082 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 136, length 64
4) Upgrade FortiExtender to the latest firmware in v4.2.x or v7.x stream.
- Enable 'private-network' on FortiGate LTE plan via FortiExtender CLI:
# config plan
- Changed SSH default port on FortiExtender CLI from 22 to 10022 (non-default):
# config management
- Reboot FortiExtender:
# execute reboot |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.