PC1 = 1.1.1.10/24 | DMZ = 1.1.1.1/24 | FGT1 (NATmode) | WAN2 vlanXX = 2.2.2.1/24 vlanYY = 3.3.3.1/24| | TRUNK | | DMZ (VLan interfaces, vlanXX_inside, vlanYY_inside) | FGT2 (TP mode) | WAN2 (Vlan interfaces, vlanXX_outside, vlanYY_outside) | Trunk | | Cisco (L3Switch) vlanXX= 2.2.2.2/24 vlanYY= 3.3.3.3/24 |
-----------> NEW SESSION CREATED. id=20085 trace_id=120 func=resolve_ip_tuple_fast line=2832 msg="vd-root received a packet(proto=1, 1.1.1.10:512->2.2.2.2:8) from vlanXX_inside." id=20085 trace_id=120 func=resolve_ip_tuple line=2931 msg="allocate a new session-006bbf7a" -----------> PACKET FORWARDED id=20085 trace_id=120 func=__if_queue_push_xmit line=208 msg="send out via dev-vlanXX_outside, dst-mac-00:1e:f7:42:1d:80" -----------> PACKET RETURNS ON vlanYY id=20085 trace_id=121 func=resolve_ip_tuple_fast line=2832 msg="vd-root received a packet(proto=1, 2.2.2.2:512->1.1.1.10:0) from vlanYY_outside." -----------> PACKET DROPPED. |
FortiGate in Transparent Mode.
Use the interface setting: "set peer-interface"
For example:
config system interface
edit vlanXX_inside
set peer-interface vlanXX_outside
next
edit vlanXX_outside
set peer-interface vlanXX_inside
nextThis command will allow the FortiGate unit to select an interface to be used when it cannot find the destination MAC address in the local bridge table. A fuller explanation of this command is given in the CLI guide.
The session problem should be resolved once this command has been entered to bind both vlanXX_inside and vlanXX_outside interfaces.
Related Articles
Technical Note : Asymmetrical packet forwarding in Transparent Mode
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.