Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
laldana
New Contributor

VLANs cant go to the internet

I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet.   Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).

 

I cant ping 10.1.0.90 on any of the VLANs except the VLAN the gateway was a member of. Once I dumped a PC onto the VLAN 10.1.x.x, I was able to ping that address with no problem. It looks like a 802.1Q issues. I ran some debugging commands on the Fortigate and the 4500. I setup a running ping from my pc on another VLAN  to ping the address on the 10.1.x.x VLAN. The packet is arriving but as you can see, has issues. From the Fortigate: id=13 trace_id=286 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.20.3:1->10.1.0.90:8) from VLAN 20." id=13 trace_id=286 func=init_ip_session_common line=4428 msg="allocate a new session-0034069f" id=13 trace_id=286 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop" id=13 trace_id=286 func=ip_session_handle_no_dst line=4490 msg="trace" # get router info routing-table all C       10.1.0.0/20 is directly connected, port1 C       10.1.20.0/24 is directly connected, VLAN 20 I have read in other website that running the following command will correct the issue

   config system settings    set asymroute enable    end

 

I ran the command in order to try the solution an it worked.  The VLAN 20 can go to the internet nevertheless "If you enable asymmetric routing, antivirus and intrusion prevention systems will not be effective. Your FortiGate unit will be unaware of connections and treat each packet individually. It will become a stateless firewall".(FortiOs Handbook)

 

The asymmetric routing is when the FortiGate unit recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack, I am creating VLAN subinterfaces in the same port where the core routes all traffic to internet

 

SW-CORE#sh ip route Gateway of last resort is 10.1.0.90 to network 0.0.0.0      10.0.0.0/8 is variably subnetted, 32 subnets, 3 masks C       10.1.0.0/20 is directly connected, Vlan1 C       10.1.30.0/24 is directly connected, Vlan30 C       10.1.20.0/24 is directly connected, Vlan20 S*   0.0.0.0/0 [1/0] via 10.1.0.90

Any advice since I do not want to enable asymmetric routing.

 

Best Regards,

 

 

 

 

 

 

 

 

 

 

 

 

2 Solutions
ashukla_FTNT
Staff
Staff

laldana wrote:

I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet.   Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).

 

 

I belive we should move all the inter-vlan routing and gateway addresses to Fortigate or don't configure any vlans on fortigate and send untagged traffic to Fortigate.

 

It seems both fortigate and 4500 is doing Inter-vlan routing which is strange.

If you want to firewall the traffic between vlans, remove all the inter vlan routing (L3 functions) from 4500 and configure it on Fortigate.

 

 

View solution in original post

aaqibk
New Contributor II

2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_route_input_slow line=2240 msg="reverse path check fail, drop" 2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_session_handle_no_dst line=5150 msg="trace" 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=print_pkt_detail line=4930 msg="vd-VPSD157-ATE received a packet(proto=1, 192.168.250.50:1->10.100.130.11:2048) from ATE-MPLS. type=8, code=0, id=1, seq=639." 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-8b17dac3, original direction"

 

 

can anyone help ?

 

View solution in original post

6 REPLIES 6
ashukla_FTNT
Staff
Staff

laldana wrote:

I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet.   Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).

 

 

I belive we should move all the inter-vlan routing and gateway addresses to Fortigate or don't configure any vlans on fortigate and send untagged traffic to Fortigate.

 

It seems both fortigate and 4500 is doing Inter-vlan routing which is strange.

If you want to firewall the traffic between vlans, remove all the inter vlan routing (L3 functions) from 4500 and configure it on Fortigate.

 

 

laldana
New Contributor

Thanks for your response ashukla, 

 

I delete all vlan subinterfaces in the fortigate and set the port of the cisco in untagged mode. 

 

I read that setting the port in access mode you will send untagged traffic in that specific port

 

#sh run int gig X/X

interface GigabitEthernetX/X  switchport mode access end

nevertheless the fortigate is still giving me problems as the vlan 30 cant reach the fortigate ip interface 10.1.0.90  

 

id=13 trace_id=2499 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.30.3:1->10.1.0.90:8) from port1." id=13 trace_id=2499 func=init_ip_session_common line=4430 msg="allocate a new session-0b66254d" id=13 trace_id=2499 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop" id=13 trace_id=2499 func=ip_session_handle_no_dst line=4493 msg="trace" id=13 trace_id=2500 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.30.3:1->10.1.0.90:8) from port1." id=13 trace_id=2500 func=init_ip_session_common line=4430 msg="allocate a new session-0b662810" id=13 trace_id=2500 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop" id=13 trace_id=2500 func=ip_session_handle_no_dst line=4493 msg="trace"

 

¿Any advice?

 

laldana

I finally figure out.  I just needed to add the route on the fortigate in order to make the subnet accesible for the fortigate.

 

Thanks ashukla. 

 

 

Joshua_MJ

Hi have you configured the route on your fortigate to route traffic that`s coming from vlan 30?

aaqibk
New Contributor II

2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_route_input_slow line=2240 msg="reverse path check fail, drop" 2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_session_handle_no_dst line=5150 msg="trace" 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=print_pkt_detail line=4930 msg="vd-VPSD157-ATE received a packet(proto=1, 192.168.250.50:1->10.100.130.11:2048) from ATE-MPLS. type=8, code=0, id=1, seq=639." 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-8b17dac3, original direction"

 

 

can anyone help ?

 

adham
New Contributor

I have on L3 avaya switch 

switch have 2 vlans 

vlan 10 with ip address 30.30.30.3 255.255.255.0

vlan 20 with ip address 20.20.20.3 255.255.255.0

intervlan routing is activated on both and ip routing is ON on all eth 

vlan 10 have ports 11-24

vlan 20 have ports 2-10

on vlan 20 i am connecting fortigate firewall 60c interface ip address is 20.20.20.4 and connecting 1 pc that got ip from fortigate DHCP pool 20.20.20.6 

on vlan 10 pc is connected ip address 30.30.30.4 

on firewall side i have cable to WAN 1 with ip 172.16.100.1 and my firewall got ip address 172.16.100.132 

internet on firewall is working also on pc on vlan 20 (same firewall's vlan )

but on vlan 10 i have no internet access even know pc on vlan 10 can ping firewall and access GUI and firewall can ping it also 

as per static route i have 

 

0.0.0.0/0.0.0.0 to wan 1 and default gateway is 172.16.100.1 

30.30.30.0/255.255.255.0 internal  gateway 20.20.20.3

 

policy is set all to all , Nat is activated on all interfaces 

how can I allow pc on  vlan 10 to access internet