Description
This article describes that if an IP address is added from a different subnet under 'set management-ip', it is possible to run into routing issue, as FortiGate sees whatever IP the reference on 'set management-ip' as directly connected to the interface where it’s configured.
Products
FortiGate v6.4.
FortiGate v7.0.
FortiGate v7.2.
Solution
Here is the routing table of my FortiGate before adding IP address from another subnet under the 'set management-ip'.
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
C 100.100.100.0/24 is directly connected, mgmt1 <----- This is a private IP, just for demo.
Adding IP address from another subnet under the 'set management-ip':
Here is the routing table after above config change:
# get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
C 100.100.100.0/24 is directly connected, mgmt1 <----- This is a private IP, just for demo.
C 200.200.200.0/24 is directly connected, mgmt1 <----- This is a private IP, just for demo.
Now, FortiGate sees IP set under 'set management-ip' as directly connect and resulted in routing issue.
Traffic destined for other IP address in that range is sent over the management port.
To resolve this issue, change/remove the IP or change the mask to say /32 (so it affects only single IP), or use IP address from same range as subnet assigned to the interface.
