Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
markscott_wg
New Contributor

Strange VIP /NAT issue

We have a customer which is migrating their internet connectivity to a new speed and provider.   WAN2 has the legacy internet connection and WAN1 has the new internet connection.

 

I am attempting to migrate VIP and rules to the new connection.  Although I have created a new VIP and rule to map RDP to port 52002, it does not work on the new connection, even though it works on the old connection and IP.   I have ensured the new IP is correct and that the internal IPs are also correct.

 

Another server on port 52000 works as expected so I am at a loss to explain this.

2 REPLIES 2
emnoc
Esteemed Contributor III

cli cmd diag debug flow  is your friend, but it sounds like a routing and failures  with uRPF lookup. I bet the old default route is pointed thru WAN1, if the  VIP is attached to WAN2 and you have a RPF lookup failure the   firewall  will drop the packet due to RPFs checks.

 

If you want to confirm, place a /32 host route thru WAN2 to the source of your tester ipv4 address.

 

Ken

PCNSE 

NSE 

StrongSwan  

rwpatterson
Valued Contributor III

The VIP definition asks for an external port. Make sure you change that in the VIP definition. It will only work on one outward facing interface, not both.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com