Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chethan
Contributor

Inter-VLAN routing issues - FortiGate

Hello everyone,

 

Before implementing the following configuration in production I'm testing it out in GNS3 and I'm facing issues with Inter-VLAN routing. I have configured FortiGate to act as router-on-a-stick.

 

  1. I have created VLAN 100 and VLAN 200 on the switch and allowed it over the trunk interface that is connected to the FortiGate. Configured the ports connecting the end devices as access ports.
  2. Created same VLANs on the FortiGate and attached it to the interfaces that is connected to the switch.
  3. Created the required Firewall polices, VLAN 100 -> VLAN 200 and VLAN 200 -> VLAN 100.
  4. From device in VLAN 100, I'm able to ping the VLAN 100 SVI IP address and the SVI IP address on VLAN 200. But unable to reach the other device in VLAN 200 and vice-versa.
  5. Packet sniffer on FortiGate shows that It is receiving the packet on VLAN 100 interface but it is not sending it out of VLAN 200 interface. 

Please, find the attached images for the reference. I believe I'm not missing anything here. Any suggestions would be helpful.

 

 

Network Diagram:

 

chethan_1-1652270777734.png

 

Firewall Polices:

 

chethan_2-1652270777739.png

 

VLAN Interface details:

 

chethan_3-1652270777742.png

 

Sniffer Output:

 

chethan_4-1652270777744.png

 

Thank you

 

 

 

IMPORTANT UPDATE: 

 

Hey everyone,

 

This is important I guess,

 

I just replaced the new FortiGate running FortiOS 7.2 with ForiOS 6.4.9. And, Inter-VLAN routing is happening now without any problem.

 

I have same configuration in place like the one that I had earlier.

 

Is this a bug or anything in 7.2 release? Can the Fortinet staff confirm this please?

 

Please find my updated screenshots:

 

chethan_0-1652357915030.png

 

PC1 to PC2:

chethan_1-1652357937273.png

 

PC2 to PC1:

chethan_2-1652357956362.png

 

Thank you

 

 

 

 

Chethan
NSE 4
1 Solution
jintrah_FTNT

Hi Chethan,

 

I tested this on a 7.2 device and it is found to work, so issue should be local to your environment only.

 

jintrah_FTNT_0-1652428999364.pngjintrah_FTNT_1-1652429192067.png

 

jintrah_FTNT_2-1652429279470.png

 

best regards,

Jin

 

View solution in original post

40 REPLIES 40
aionescu
Staff
Staff

Hi chethan,

 

This is very nice explained issue.


Can you run the following commands and update us with the output?

 

Assuming the source is 10.0.100.10 and destination 10.0.200.10

 

Stop the traffic and clear the any possible existing session between the hosts

diagnose sys session filter src 10.0.100.10
diagnose sys session filter dst 10.0.200.10
diagnose sys session clear

confirm that there is no session with

diagnose sys session list

 

Run a debug flow while generating traffic
diagnose debug flow filter addr 10.0.100.10
diagnose debug flow trace start 100
diagnose debug enable

 

Collect the arp entries on the device:
get system arp

chethan

Thank you aionescu,

 

Here are the outputs for the following commands:

 

FortiOS-VM64-KVM # diag sys session filter src 10.0.100.10

FortiOS-VM64-KVM # diag sys session filter dst 10.0.200.10

FortiOS-VM64-KVM # diag sys sess cl
ambiguous command before 'sess'

FortiOS-VM64-KVM # diag sys session clear

FortiOS-VM64-KVM # diag sys session list
total session 0

FortiOS-VM64-KVM # diag deb flow filter addr 10.0.100.10

FortiOS-VM64-KVM # diag deb flow trace start 100

FortiOS-VM64-KVM # diag deb en

FortiOS-VM64-KVM # id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:30945->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=30945, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-0000035b, tun_id=0.0.0.0"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:31457->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=31457, seq=2."
id=65308 trace_id=2 func=init_ip_session_common line=6076 msg="allocate a new session-0000036a, tun_id=0.0.0.0"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=3 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:31969->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=31969, seq=3."
id=65308 trace_id=3 func=init_ip_session_common line=6076 msg="allocate a new session-00000379, tun_id=0.0.0.0"
id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=4 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:32481->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=32481, seq=4."
id=65308 trace_id=4 func=init_ip_session_common line=6076 msg="allocate a new session-00000382, tun_id=0.0.0.0"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"
id=65308 trace_id=5 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 10.0.100.10:32993->10.0.200.10:2048) tun_id=0.0.0.0 from VLAN100. type=8, code=0, id=32993, seq=5."
id=65308 trace_id=5 func=init_ip_session_common line=6076 msg="allocate a new session-00000384, tun_id=0.0.0.0"
id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-10.0.200.10 via VLAN200"

FortiOS-VM64-KVM #
FortiOS-VM64-KVM # get system arp
Address Age(min) Hardware Addr Interface
10.0.200.10 3 00:50:79:66:68:01 VLAN200
192.168.233.1 0 00:50:56:c0:00:08 mgmt
10.0.100.10 1 00:50:79:66:68:00 VLAN100
192.168.233.2 0 00:50:56:f3:62:fc mgmt

Chethan
NSE 4
aionescu

Hello Chethan,

 

Is there any VIP configured?

Also, are you able to ping 10.0.200.10 from the Fortigate? What is you ping with source 10.0.100.254

chethan

No, VIP is not configured. 

Yes, I'm able to ping both 10.0.100.10 and 10.0.200.10 from FortiGate.

 

And from 10.0.100.10 I'm able to ping 10.0.200.254 (VLAN 200 Interface IP) and from 10.0.200.10 I'm able to ping 10.0.100.254 (VLAN 100 Interface IP).

 

chethan_0-1652347194917.png

 

 

Chethan
NSE 4
chethan

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
agodbole
Staff
Staff

Hi Chethan

 

Can you run a sniffer on the FortiGate when you ping devices in different VLAN.

 

Also one of the most common issues if you have windows machines is the windows firewall so if they are windows machines would suggest you to disable that before you run the sniffer

chethan

Hi agodbole,

 

There are no windows endpoints. I have attached the screenshot for the sniffer in my original post. 

 

FortiGate receives the packet on its incoming VLAN interface but it is not forwarded to the outgoing VLAN interface. 

 

Eg:

source: 10.0.100.10 (end device in VLAN 100)

destination: 10.0.200.10 (end device in VLAN 200)

Ping Fails.

 

source: 10.0.100.10 (end device in VLAN 100)

destination: 10.0.200.254 (VLAN 200 SVI IP address)

Ping Succeeds.

 

These are directly connected subnets for FortiGate

 

 

 

Chethan
NSE 4
chethan

Hi Agodbole,

 

I have updated my original post. Kindly, check!

 

Thank you

Chethan
NSE 4
seshuganesh
Staff
Staff

Hi chetan,

 

Ignore: there are only in packets in sniffer no out packets..this reply wont help

can you get this output:

execute ping-options source 10.0.100.254

execute ping 10.0.200.10

 

execute ping-options reset

execute ping-options source 10.0.200.254

execute ping 10.0.200.10

 

Please get both these outputs