Description | This article describes behavior where management traffic starts overlapping on the virtual wire pair. |
Scope | FortiGate |
Solution |
While configuration may differ, a typical topology where the issue occurs the most is when a switch downstream is connected and is sending the traffic towards the FortiGate:
In the topology above, the firewall is being accessed on port Internal_7, the management port. Ports Internal_1 and Internal_2 are configured as a virtual wire pair. When configured correctly, it should be possible to access the FortiGate. However, there are instances where upgrading the FortiGate causes access to be lost.
This occurs because the FortiGate overlaps the traffic to the virtual wire pair traffic during an access attempt.
Running the sniffer would show the management traffic will overlap with the virtual wire pair:
2024-04-22 10:21:07.275390 internal2 in 10.240.137.113.62965 -> 10.240.104.254.8443: psh 1730862386 ack 4238174702 2024-04-22 10:21:07.871379 internal2 in 10.240.137.113.62986 -> 10.240.104.254.8443: psh 4112164305 ack 1889223950
Another indicator is the flow debugs, which will send the logs to the IPS:
id=65308 trace_id=25 func=print_pkt_detail line=5831 msg="vd-root:0 received a packet(proto=1, 10.240.137.113:1->10.240.104.254:2048) tun_id=0.0.0.0 from internal7. type=8, code=0, id=1, seq=13158."
It is recommended to always keep the management traffic separate from the virtual wire pair.
config system interface edit interface42 ... set vrf 14 next end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.