Description
This article describes the case when the WAN IP is displaying as 'unknown' in the Dashboard or 'Failed to get my public IP' on CLI.
GUI Dashboard:
CLI:
diag sys waninfo
Failed to get my public IP, ret=0 src_ip=0.0.0.0 vfid=-1(null)
Command fail. Return code 5
Scope
FortiGate.
Solution
It is possible to fix that issue in multiple ways. Before fixing it, do the verification below:
- First, check if the default route is there:
get router info routing-table all
Example"
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.1.1.254, port1, [1/0] <<<< Default route
C 10.1.1.0/20 is directly connected, port1
-
Try to run the below commands to get the IP from the FortiGuard:
diagnose sys waninfo
diagnose sys waninfo ipify
It is possible to get the error if it fails to get the IP as below: if yes follow the next step:
Try to get 'my public IP' through:
https://api.ipify.org with src_ip=0.0.0.0 vfid=0(root) ... Failed to get my public IP, ret=-1 src_ip=0.0.0.0 vfid=0(root).
Command fail. Return code 5
-
Verify connectivity to the internet. For that execute the below commands:
exec ping-option reset
exec ping 8.8.8.8
If it is not pinging, check the routing table by the command:
get router info routing-table details 8.8.8.8
Multiple routes for internet connectivity are seen below:
get router info routing-table details 8.8.8.8
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 10.x.x.x, via port1
* 10.x.x.x, via port2
Then test the reachability by specifying the interface/source as below:
exec ping-options reset
exec ping-options interface port1
exec ping 8.8.8.8
If it is successful, do the below changes on the DNS settings:
config sys dns
set interface-select-method specify
set interface port1
set source-ip x.x.x.x(port1 IP)
end
Also, to reach the FortiGuard servers, it is necessary to use the same port:
config sys fortiguard
set interface-select-method specify
set interface port1
set source-ip x.x.x.x(port1 IP)
end
If not, change the interface to port2 and check. If it works, make the changes on the DNS interface select method:
exec ping-options reset
exec ping-options interface port2
exec ping 8.8.8.8
config sys DNS
set interface-select-method specify
set interface port2
Set source-ip x.x.x.x(port2 IP)
end
Also, to reach the FortiGuard servers, it is necessary to use the same port:
config sys fortiguard
set interface-select-method specify
set interface port2
Set source-ip x.x.x.x(port2 IP)
end
If both the WAN interfaces (WAN1 and WAN2) formed an aggregated (combined) link then it is necessary to use the aggregated interface and set the source IP as the aggregate interface IP.
config sys fortiguard
set interface-select-method specify
set interface INTERNET <- Set the aggregated interface.
set source-ip 194.78.115.93
end
In a Multi-VDOM scenario, the management VDOM must have an internet connection.
After all of the above changes, if the issue still persists, make the following changes:
config system interface
edit "primary-wan interface"
set mtu-override enable
set mtu 1400
next
end
The command 'set mtu-override enable' enables the override of the Maximum Transmission Unit (MTU) setting for a network interface. This makes it possible to manually set a specific MTU value for the interface instead of using the default value.
See Technical Tip: How to adjust the Maximum Transmission Unit (MTU) value on a FortiGate interface.
Note: FortiClient also uses api.ipify.org to get its public IP information.
