A duplicate entry already exists VIP

Taha1 · ‎11-28-2022

Hello EvryOne

We are using FortiGate201F v6.4.11

We have an internal web based application and I want my users to be able to connect to that application from outside our network.

So I wanted to NAT between our public IP and private IP

So am getting the below error:

A duplicate entry already exists.

The extip is overlapped with the gateway of static route.

So I searched the firewall I found that the same Public IP is defined as Gateway Address .

am not sure what that’s mean ?

Would any one kindly help.

Thanks.

Best Regards

Toshi_Esumi · ‎11-29-2022

That generally means the static route was misconfigured whoever configured it. You need to judge if you can/should remove it based on the destination subnet.

Toshi

View solution in original post

anikolov · ‎11-29-2022

Helo Taha1,

What is the subnet that you are using for a gateway? You can choose some other IP address with which you will do the VIP. Can you please share the related configuration for the VIP that you are trying to use? Interface, static route, VIP policy, firewall policy, static route?

Since I am asking you to provide parts of the configuration, some malicious user can read this, so you can mask the real IPs or use trusted host.

Regards,

Aleksandar Nikolov

Toshi_Esumi · ‎11-29-2022

That generally means the static route was misconfigured whoever configured it. You need to judge if you can/should remove it based on the destination subnet.

Toshi

YHC · ‎10-23-2023

Hi,

I have the same issue.

Here is our static route setting:

Could you advise how to correct the problem?

Thank you.

Toshi_Esumi · ‎10-23-2023

What is the VIP you tried configuring? CLI might be easier to paste into a post. "config firewall vip" then "show".

Toshi

YHC · ‎10-23-2023

We have pretty many VIPs have the same issues.

Here are some o them.

Is it because that we have more than one VIP behind the same public IP (27.x.x.x)?

Thank you.

Toshi_Esumi · ‎10-23-2023

Since those are port-mappings, there shouldn't be any conflict for themselves.

Why do you have two static default routes to the same "wan" interface/same circuit? One for dynamic GW and one for static GW? That might be causing problems.

Then run two commands at the top level of CLI tree. to make sure you don't have the same IP in the config statically or in routing-table dynamically.
"show | grep -f 27.x.x.116"
"get router info routing-t all | grep 27.x.x.116"

Toshi

YHC · ‎10-26-2023

Frankly speaking, I am not sure why we have two static default routes to the same "wan" interface. Can we simply delete the one with dynamic GW?

For those two commands, the first one shows a lot of info, and the second one returns nothing.

Please advise us how to make sure we don't have the same IP in the config statically or in routing-table dynamically. Thank you.

Toshi_Esumi · ‎10-26-2023

If if the gateway is supposed to be static, remove it.

You were the one who set up VIPs and static routes. You should be able to tell which one is not supposed to be there out for the output.

If you need more help, you should open a TAC case to get looked into. It's very hard to "guess" until get in the FGT and look inside, which TAC would do when you open a case.

Toshi

Taha1 · ‎12-21-2022

Dear All,

thanks alot for the support

the issue was related to the Static Route .

we have fixed it and every thing is fine now.

thanks.

Best Regards

A duplicate entry already exists VIP

Nominate a Forum Post for Knowledge Article Creation