- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Help understanding what is wrong
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help understanding what is wrong
Hi all,
I've got a strange behaviour but I cannot figure out why.
I have a couple of ADSL modems (in bridge mode) connected to wan1 and wan2 of my fortigate 60D.
I created a load-balanced wan on the firewall which.
The modems have an IP on 192.168.200.0/29 where the management GUI responds.
To be able to reach these addresses I created a policy which NAT the packet directed to this address behind an address belonging to the same network.
Then I created a static route to direct the packet to the right interface, wan1 or wan2, depending on the destination target.
Despite this I can reach one modem GUI only while the other is not responding.
Of course If I directli connect the modem to my PC I am able to browse its GUI.
Do you have any idea about what I am missing?
Here you are the flow trace of the packet directed to the modems:
MODEM1 (working)
id=20085 trace_id=7 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 10.9.10.100:21859->192.168.200.1:8) from internal. code=8, type=0, id=21859, seq=0." id=20085 trace_id=7 func=init_ip_session_common line=4620 msg="allocate a new session-000781c6" id=20085 trace_id=7 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.200.1 via wan1" id=20085 trace_id=7 func=fw_forward_handler line=675 msg="Allowed by Policy-9: SNAT" id=20085 trace_id=7 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.3:62464" id=20085 trace_id=8 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 192.168.200.1:62464->192.168.200.3:0) from wan1. code=0, type=0, id=62464, seq=0." id=20085 trace_id=8 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-000781c6, reply direction" id=20085 trace_id=8 func=__ip_session_run_tuple line=2610 msg="DNAT 192.168.200.3:0->10.9.10.100:21859" id=20085 trace_id=8 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.9.10.100 via internal" id=20085 trace_id=9 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 10.9.10.100:21859->192.168.200.1:8) from internal. code=8, type=0, id=21859, seq=1." id=20085 trace_id=9 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-000781c6, original direction" id=20085 trace_id=9 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.3:62464" id=20085 trace_id=10 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 192.168.200.1:62464->192.168.200.3:0) from wan1. code=0, type=0, id=62464, seq=1." id=20085 trace_id=10 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-000781c6, reply direction" id=20085 trace_id=10 func=__ip_session_run_tuple line=2610 msg="DNAT 192.168.200.3:0->10.9.10.100:21859"
MODEM2 (NOT working)
id=20085 trace_id=11 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=2, 192.168.200.2:0->224.0.0.1:0) from wan2. " id=20085 trace_id=11 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-0005ef78, original direction" id=20085 trace_id=12 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=2, 192.168.200.2:0->224.0.0.1:0) from wan2. " id=20085 trace_id=12 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-0005ef78, original direction" id=20085 trace_id=13 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 10.9.10.100:33379->192.168.200.2:8) from internal. code=8, type=0, id=33379, seq=0." id=20085 trace_id=13 func=init_ip_session_common line=4620 msg="allocate a new session-00078386" id=20085 trace_id=13 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.200.2 via wan2" id=20085 trace_id=13 func=fw_forward_handler line=675 msg="Allowed by Policy-9: SNAT" id=20085 trace_id=13 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.3:62464" id=20085 trace_id=14 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 10.9.10.100:33379->192.168.200.2:8) from internal. code=8, type=0, id=33379, seq=1." id=20085 trace_id=14 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-00078386, original direction" id=20085 trace_id=14 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.3:62464" id=20085 trace_id=15 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 10.9.10.100:33379->192.168.200.2:8) from internal. code=8, type=0, id=33379, seq=2." id=20085 trace_id=15 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-00078386, original direction" id=20085 trace_id=15 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.3:62464" id=20085 trace_id=16 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=1, 10.9.10.100:33379->192.168.200.2:8) from internal. code=8, type=0, id=33379, seq=3." id=20085 trace_id=16 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-00078386, original direction" id=20085 trace_id=16 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.3:62464" id=20085 trace_id=17 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=2, 192.168.200.2:0->224.0.0.1:0) from wan2. " id=20085 trace_id=17 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-0005ef78, original direction"
Thank You
Regards
Solved! Go to Solution.
Labels:
- Labels:
-
5.2
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These devices are on two different interfaces. Make 2 unique transfer subnets and try again. (192.168.200.0/30 and 192.168.200.4/30 for example)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These devices are on two different interfaces. Make 2 unique transfer subnets and try again. (192.168.200.0/30 and 192.168.200.4/30 for example)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I separated the two subnet:
modem1: 192.168.200.1/30 NAT:192.168.200.2
modem: 192.168.200.5/30 NAT:192.168.200.6
but it looks there is the same behaviour. I cannot see the packets replied by the modem2:
MODEM1
2016-01-28 08:09:40 id=20085 trace_id=1222 func=init_ip_session_common line=4620 msg="allocate a new session-00097fc1" 2016-01-28 08:09:40 id=20085 trace_id=1222 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.200.1 via wan1" 2016-01-28 08:09:40 id=20085 trace_id=1222 func=fw_forward_handler line=675 msg="Allowed by Policy-9: SNAT" 2016-01-28 08:09:40 id=20085 trace_id=1222 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.2:65198" 2016-01-28 08:09:40 id=20085 trace_id=1223 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=6, 192.168.200.1:80->192.168.200.2:65198) from wan1. flag [S.], seq 4225730003, ack 2280903650, win 2100" 2016-01-28 08:09:40 id=20085 trace_id=1223 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-00097fc1, reply direction" 2016-01-28 08:09:40 id=20085 trace_id=1223 func=__ip_session_run_tuple line=2610 msg="DNAT 192.168.200.2:65198->10.9.10.100:65198" 2016-01-28 08:09:40 id=20085 trace_id=1223 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.9.10.100 via internal" 2016-01-28 08:09:40 id=20085 trace_id=1224 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=6, 10.9.10.100:65198->192.168.200.1:80) from internal. flag [.], seq 2280903650, ack 4225730004, win 65535"
MODEM2
2016-01-28 08:13:04 id=20085 trace_id=1322 func=init_ip_session_common line=4620 msg="allocate a new session-00098095"
2016-01-28 08:13:04 id=20085 trace_id=1322 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.200.5 via wan2"
2016-01-28 08:13:04 id=20085 trace_id=1322 func=fw_forward_handler line=675 msg="Allowed by Policy-10: SNAT"
2016-01-28 08:13:04 id=20085 trace_id=1322 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.6:65212"
2016-01-28 08:13:05 id=20085 trace_id=1323 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=6, 10.9.10.100:65211->192.168.200.5:80) from internal. flag , seq 585892197, ack 0, win 65535"
2016-01-28 08:13:05 id=20085 trace_id=1323 func=resolve_ip_tuple_fast line=4530 msg="Find an existing session, id-00098094, original direction"
2016-01-28 08:13:05 id=20085 trace_id=1323 func=__ip_session_run_tuple line=2596 msg="SNAT 10.9.10.100->192.168.200.6:65211"
2016-01-28 08:13:05 id=20085 trace_id=1324 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=6, 10.9.10.100:65212->192.168.200.5:80) from internal. flag , seq 3535325209, ack 0, win 65535"
Related Posts
- System file integrity check failed 112 Views
- ipv6 - internal lan interface cannot... 123 Views
- Migrate VDOM to Different Network setup 116 Views
- Understanding the Use of FortiGate Workspace... 112 Views
- Trying to understand the packet flow... 285 Views
Labels
-
FortiGate
6,425 -
FortiClient
1,281 -
5.2
801 -
5.4
639 -
FortiManager
558 -
6.0
416 -
FortiAnalyzer
409 -
5.6
362 -
FortiSwitch
330 -
FortiAP
323 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
102 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
81 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
IPsec
62 -
Wireless Controller
56 -
SSL-VPN
52 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
17 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
Interface
10 -
VDOM
10 -
FortiWeb v5.0
9 -
BGP
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
Traffic shaping
8 -
Virtual IP
8 -
RADIUS
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
NAT
6 -
IP address management - IPAM
6 -
SSID
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiAuthenticator
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
Security profile
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
Web application firewall profile
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
OSPF
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.