Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Taha1
New Contributor

A duplicate entry already exists VIP

Hello EvryOne

 

We are using FortiGate201F v6.4.11

We have an internal web based application and I want my users to be able to connect to that application from outside our network.

So I wanted to NAT between our public IP and private IP

So am getting the below error:

 

A duplicate entry already exists.

The extip is overlapped with the gateway of static route.

 

So I searched the firewall I found that the same Public IP is defined as Gateway Address .

 

am not sure what that’s mean ?

Would any one kindly help.

 

Thanks.

Best Regards
Best Regards
1 Solution
Toshi_Esumi
Esteemed Contributor III

That generally means the static route was misconfigured whoever configured it. You need to judge if you can/should remove it based on the destination subnet.

 

Toshi

View solution in original post

11 REPLIES 11
anikolov
Staff
Staff

Helo Taha1,

 

What is the subnet that you are using for a gateway? You can choose some other IP address with which you will do the VIP. Can you please share the related configuration for the VIP that you are trying to use? Interface, static route, VIP policy, firewall policy, static route?

 

Since I am asking you to provide parts of the configuration, some malicious user can read this, so you can mask the real IPs or use trusted host. 

 

Regards,

 

Aleksandar Nikolov
Toshi_Esumi
Esteemed Contributor III

That generally means the static route was misconfigured whoever configured it. You need to judge if you can/should remove it based on the destination subnet.

 

Toshi

YHC
New Contributor III

Hi,

 

I have the same issue.

Here is our static route setting:

 

圖片 1.png

Could you advise how to correct the problem?  

Thank you.

Toshi_Esumi
Esteemed Contributor III

What is the VIP you tried configuring? CLI might be easier to paste into a post. "config firewall vip" then "show".

 

Toshi

YHC
New Contributor III

We have pretty many VIPs have the same issues.  

Here are some o them.   

Is it because that we have more than one VIP behind the same public IP (27.x.x.x)?  

Thank you.

圖片 2_png.png

Toshi_Esumi
Esteemed Contributor III

Since those are port-mappings, there shouldn't be any conflict for themselves.


Why do you have two static default routes to the same "wan" interface/same circuit? One for dynamic GW and one for static GW? That might be causing problems.

Then run two commands at the top level of CLI tree. to make sure you don't have the same IP in the config statically or in routing-table dynamically.
"show | grep -f 27.x.x.116"
"get router info routing-t all | grep 27.x.x.116"

Toshi

YHC
New Contributor III

Frankly speaking, I am not sure why we have two static default routes to the same "wan" interface.  Can we simply delete the one with dynamic GW?

 

For those two commands, the first one shows a lot of info, and the second one returns nothing.

Please advise us how to make sure we don't have the same IP in the config statically or in routing-table dynamically.  Thank you.

 

Toshi_Esumi
Esteemed Contributor III

If if the gateway is supposed to be static, remove it.

 

You were the one who set up VIPs and static routes. You should be able to tell which one is not supposed to be there out for the output.

If you need more help, you should open a TAC case to get looked into. It's very hard to "guess" until get in the FGT and look inside, which TAC would do when you open a case.

 

Toshi

Taha1
New Contributor

Dear All,

thanks alot for the support

the issue was related to the Static Route .

we have fixed it and every thing is fine now.

 

thanks.

Best Regards
Best Regards
Top Kudoed Authors