Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Troubleshooting Tip: Routing Issue
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to verify routing path and configuration.
Basically, routing is related to the segment and gateway.
In some scenario, certain segment required specific gateway.
Example.
Solution
To mitigate this issue, verify that the FortiGate configuration is working as per as expected.
Go to Network -> Static Route.
Make sure all the routing information is correct.
Add / remove necessary entry.
Verify traffic flow as follow:
- Source: 172.168.0.100.
- Destination: 10.10.10.16.
Verify routing table.
Verify traffic flow.
Sniffer will show the interface as follow:
In above output, there is 4 line for each complete flow. Notice the numbering.
Go out using MPLS, respond from MPLS.
If something not right is noticed, change the routing, distance or priority accordingly.
Certain case, FortiGate already sent out the traffic to the correct gateway, however, the peer did not respond to FortiGate or respond using another gateway.
Example:
Traffic from LAN(in) to MPLS(out) <----- Correct.
Respond from VPN1(in) to LAN(out) <----- Not correct.
Traffic should respond back on MPLS.
For this scenario, it is not the FortiGate issue anymore.
Check routing on the peer.
Troubleshooting idea:
1) Make sure the segment and subnet is correct
2) Make sure the FortiGate interface can ping to the peer gateway.
This article describes how to verify routing path and configuration.
Basically, routing is related to the segment and gateway.
In some scenario, certain segment required specific gateway.
Example.
0.0.0.0/0(everything) Gateway ISP Router
10.10.10.0/24 Gateway MPLS. Means, 10.10.10.0/24 is on MPLS
20.20.20.0/24 Gateway VPN1. Means, 20.20.20.0/24 is on VPN1
30.30.30.0/24 Gateway VPN2. Means 30.30.30.0/24 is on VPN2
Solution
To mitigate this issue, verify that the FortiGate configuration is working as per as expected.
Go to Network -> Static Route.
Make sure all the routing information is correct.
Add / remove necessary entry.
Verify traffic flow as follow:
- Source: 172.168.0.100.
- Destination: 10.10.10.16.
Verify routing table.
# get router info routing-table all | grep 10.10.10.0/24Or
# get router info routing-table allMake sure there is a routing for 10.10.10.0/24 segment.
Verify traffic flow.
# diag sniffer packet any ‘host 10.10.10.16 and icmp’ 4 0From source 172.168.0.100, ping to 10.10.10.16.
Sniffer will show the interface as follow:
interfaces=[any]Check the gateway / interface use to reach the 10.10.10.16.
filters=[host 172.168.0.100 and host 10.10.10.16 and icmp]
11.097441 lan in 172.168.0.100 -> 10.10.10.16: icmp: echo request
11.097557 MPLS out 192.168.244.136 -> 10.10.10.16: icmp: echo request
11.129438 MPLS in 10.10.10.16 -> 192.168.244.136: icmp: echo reply
11.129477 lan out 10.10.10.16 -> 172.168.0.100: icmp: echo reply
12.102049 lan in 172.168.0.100 -> 10.10.10.16: icmp: echo request
12.102085 MPLS out 192.168.244.136 -> 10.10.10.16: icmp: echo request
12.133505 MPLS in 10.10.10.16 -> 192.168.244.136: icmp: echo reply
12.133531 lan out 10.10.10.16 -> 172.168.0.100: icmp: echo reply
13.109669 lan in 172.168.0.100 -> 10.10.10.16: icmp: echo request
13.109708 MPLS out 192.168.244.136 -> 10.10.10.16: icmp: echo request
13.147746 MPLS in 10.10.10.16 -> 192.168.244.136: icmp: echo reply
13.147773 lan out 10.10.10.16 -> 172.168.0.100: icmp: echo reply
14.114213 lan in 172.168.0.100 -> 10.10.10.16: icmp: echo request
14.114249 MPLS out 192.168.244.136 -> 10.10.10.16: icmp: echo request
14.138062 MPLS in 10.10.10.16 -> 192.168.244.136: icmp: echo reply
14.138096 lan out 10.10.10.16 -> 172.168.0.100: icmp: echo reply
In above output, there is 4 line for each complete flow. Notice the numbering.
11.xxxxxx – for 1 complete pingSo in this scenario, the traffic flow is correct.
12.xxxxxx – for 1 complete ping
13.xxxxxx – for 1 complete ping
14.xxxxxx – for 1 complete ping
Traffic from LAN(in) to MPLS(out)
Respond from MPLS(in) to LAN(out)
Go out using MPLS, respond from MPLS.
If something not right is noticed, change the routing, distance or priority accordingly.
Certain case, FortiGate already sent out the traffic to the correct gateway, however, the peer did not respond to FortiGate or respond using another gateway.
Example:
Traffic from LAN(in) to MPLS(out) <----- Correct.
Respond from VPN1(in) to LAN(out) <----- Not correct.
Traffic should respond back on MPLS.
For this scenario, it is not the FortiGate issue anymore.
Check routing on the peer.
Troubleshooting idea:
1) Make sure the segment and subnet is correct
2) Make sure the FortiGate interface can ping to the peer gateway.
# Exe ping-options source <interfaceIP>3) Make sure the other unit also route to the FortiGate.
Related Articles
24562
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.