|
User Impact: User cannot ping or SSH FortiGate-FortiExtender WAN IP (10.255.224.127) via FortiExtender-211E lt1 interface from host 10.252.16.221.
Debug (possible cause and fix):
- Server Host (10.252.16.221) is trying to ping/SSH FortiGate-FortiExtender WAN IP (10.255.224.127) via FortiExtender-211E lt1 interface.
- Server (10.252.16.221) is at the HQ site and FortiGate and FortiExtender are at the branch site.
- On affected FortiGate (FortiExtender) - FortiGate sends out ICMP Request and ARP request, but there is no ICMP Reply and ARP response:
FortiGate:
diagnose sniffer packet fex 'host 10.252.16.221'
interfaces=[fex]
filters=[host 10.252.16.221]
1.336739 arp who-has 10.252.16.221 tell 10.255.224.127
1.338909 10.252.16.221 -> 10.255.224.127: icmp: echo request
2.338862 10.252.16.221 -> 10.255.224.127: icmp: echo request
2.338920 arp who-has 10.252.16.221 tell 10.255.224.127
3.336732 arp who-has 10.252.16.221 tell 10.255.224.127
FortiExtender:
execute tcpdump -nn -i lte1 'host 10.252.16.221'
09:43:19.187082 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 136, length 64
09:43:20.178036 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 137, length 64
09:43:21.179028 IP 10.252.16.221 > 10.255.224.127: ICMP echo request, id 4138, seq 138, length 64
-
Upgrade FortiExtender to the latest firmware in v4.2.x or v7.x stream.
-
Try the below changes and then test the behavior:
- Enable 'private-network' on FortiGate LTE plan via FortiExtender CLI:
config plan
edit FGT_1
set private-network enable
next
- Changed SSH default port on FortiExtender CLI from 22 to 10022 (non-default) and HTTPS port from 443 (default) to 10443 (custom port) if HTTPS access is also required to the FortiGate:
Special notes
config management
config local-access
set http 80
set https 10443
set ssh 10022
set telnet 23
set idle-timeout 5
end
execute reboot
|
