Description
This article describes how to configure a FortiGate network interface so that the secondary IP addresses belongs to the same subnet, as the already configured primary IP address.
However, by default, when trying to set a secondary IP overlapping with the primary, the FortiGate will give the following error messages, CLI or GUI :
Subnets overlap between 'port6' with primary IP of 'port5'
node_check_object fail! for ip X.X.X.X 255.255.255.0
value parse error before '255.255.255.0'
Command fail. Return code -54
Solution
FortiGate gives the option to enable overlapping subnets, by using the following CLI command and no option on GUI:
(If the VDOM is enabled on the configurations, make sure to enter the correct VDOM before).
In real networks, if two interfaces have overlapping subnets, the FortiGate may forward the packet to the wrong interface when it needs to send a packet to an IP address inside that range of overlapped addresses.
Using subnet overlapping is not recommended, as it might cause issues with routing in the network.
Best recommendation is using 'variable-length subnet masking' (VLSM) so it possible to assign different subnets to each interface used in the environment.
Related link.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/657805/site-to-site-ipsec-vpn-with-overl...
This article describes how to configure a FortiGate network interface so that the secondary IP addresses belongs to the same subnet, as the already configured primary IP address.
However, by default, when trying to set a secondary IP overlapping with the primary, the FortiGate will give the following error messages, CLI or GUI :
Subnets overlap between 'port6' with primary IP of 'port5'
node_check_object fail! for ip X.X.X.X 255.255.255.0
value parse error before '255.255.255.0'
Command fail. Return code -54
Or
'Conflict with ‘portx’ subnet.'
'Conflict with ‘portx’ subnet.'
Solution
FortiGate gives the option to enable overlapping subnets, by using the following CLI command and no option on GUI:
(If the VDOM is enabled on the configurations, make sure to enter the correct VDOM before).
# config vdomNotes: By design, subnets should not overlap.
edit <VDOM>)
# config system settings
set allow-subnet-overlap [enable/disable]
end
In real networks, if two interfaces have overlapping subnets, the FortiGate may forward the packet to the wrong interface when it needs to send a packet to an IP address inside that range of overlapped addresses.
Using subnet overlapping is not recommended, as it might cause issues with routing in the network.
Best recommendation is using 'variable-length subnet masking' (VLSM) so it possible to assign different subnets to each interface used in the environment.
Related link.
https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/657805/site-to-site-ipsec-vpn-with-overl...
Related Articles
Technical Tip: SSL VPN with overlapping subnets
Configuring DHCP relay over IPSec VPN with overlapping subnets
