Description
This article describes the case when the WAN IP displays as 'unknown' in the Dashboard or 'Failed to get my public IP' in CLI.
GUI Dashboard:
CLI:
diagnose sys waninfo
Failed to get my public IP, ret=0 src_ip=0.0.0.0 vfid=-1(null)
Command fail. Return code 5
Scope
FortiGate.
Solution
It is possible to fix that issue in multiple ways. Before fixing it, do the verification below:
- First, check if the default route is there:
get router info routing-table all
Example"
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.1.1.254, port1, [1/0] <<<< Default route
C 10.1.1.0/20 is directly connected, port1
-
Try to run the commands below to get the IP from the FortiGuard:
diagnose sys waninfo
diagnose sys waninfo ipify
It is possible to get the error if it fails to get the IP as below if yes follow the next step:
Try to get 'my public IP' through:
https://api.ipify.org with src_ip=0.0.0.0 vfid=0(root) ... Failed to get my public IP, ret=-1 src_ip=0.0.0.0 vfid=0(root).
Command fail. Return code 5
-
Verify connectivity to the internet. For that, execute the commands below:
execute ping-option reset
execute ping 8.8.8.8
If it is not pinging, check the routing table with the command:
get router info routing-table details 8.8.8.8
Multiple routes for internet connectivity are shown below:
get router info routing-table details 8.8.8.8
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.x.x.x, via port1
* 10.x.x.x, via port2
Then test the reachability by specifying the interface/source as below:
execute ping-options reset
execute ping-options interface port1
execute ping 8.8.8.8
If it is successful, do the following changes to the DNS settings:
config system dns
set interface-select-method specify
set interface port1
set source-ip x.x.x.x(port1 IP)
end
Also, to reach the FortiGuard servers, it is necessary to use the same port:
config system fortiguard
set interface-select-method specify
set interface port1
set source-ip x.x.x.x(port1 IP)
end
If not, change the interface to port2 and check. If it works, make the changes on the DNS interface select method:
execute ping-options reset
execute ping-options interface port2
execute ping 8.8.8.8
config system dns
set interface-select-method specify
set interface port2
set source-ip x.x.x.x(port2 IP)
end
Also, to reach the FortiGuard servers, it is necessary to use the same port:
config system fortiguard
set interface-select-method specify
set interface port2
set source-ip x.x.x.x(port2 IP)
end
If both the WAN interfaces (WAN1 and WAN2) form an aggregated (combined) link, then it is necessary to use the aggregated interface and set the source IP as the aggregate interface IP.
config system fortiguard
set interface-select-method specify
set interface INTERNET <- Set the aggregated interface.
set source-ip 194.78.115.93
end
In a Multi-VDOM scenario, the management VDOM must have an internet connection.
After all of the above changes, if the issue still persists, make the following changes:
config system interface
edit "primary-wan interface"
set mtu-override enable
set mtu 1400
next
end
The command 'set mtu-override enable' enables the override of the Maximum Transmission Unit (MTU) setting for a network interface. This makes it possible to manually set a specific MTU value for the interface instead of using the default value.
See Technical Tip: How to adjust the Maximum Transmission Unit (MTU) value on a FortiGate interface.
Note: FortiClient also uses api.ipify.org to get its public IP information.
