|
User Impact: User cannot ping or SSH FortiGate-FortiExtender WAN IP (10.255.224.127) via FortiExtender-211E lt1 interface from host 10.252.16.221.
Debug (possible cause and fix):
1) Server Host (10.252.16.221) is trying to ping/SSH FortiGate-FortiExtender WAN IP (10.255.224.127) via FortiExtender-211E lt1 interface.
2) Server (10.252.16.221) is at the HQ site and FortiGate and FortiExtender are at the branch site.
3) On affected FortiGate (FortiExtender) - FortiGate sends out ICMP Request and ARP request, but there is no ICMP Reply and ARP response:
FortiGate:
# diagnose sniffer packet fex 'host 10.252.16.221'
interfaces=[fex]
filters=[host 10.252.16.221]
1.336739 arp who-has 10.252.16.221 tell 10.255.224.127
1.338909 10.252.16.221 -> 10.255.224.127: icmp: echo request
2.338862 10.252.16.221 -> 10.255.224.127: icmp: echo request
2.338920 arp who-has 10.252.16.221 tell 10.255.224.127
3.336732 arp who-has 10.252.16.221 tell 10.255.224.127
FortiExtender:
# execute tcpdump -nn -i lte1 'host 10.252.16.221'
09:43:19.187082 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 136, length 64
09:43:20.178036 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 137, length 64
09:43:21.179028 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 138, length 64
4) Upgrade FortiExtender to the latest firmware in v4.2.x or v7.x stream.
5) Try the below changes and then test the behavior:
- Enable 'private-network' on FortiGate LTE plan via FortiExtender CLI:
# config plan
edit FGT_1
set private-network enable
next
- Changed SSH default port on FortiExtender CLI from 22 to 10022 (non-default):
# config management
# config local-access
set http 80
set https 443
set ssh 10022
set telnet 23
set idle-timeout 5
end
- Reboot FortiExtender:
# execute reboot
|
