Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Akamai sites fail in browser, can ping
Options
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Akamai sites fail in browser, can ping
I have a strange issue. New customer with (2) DSL connections on WAN1 & WAN2.
WAN 1 = /28 block of IP' s
WAN 2 = /29 block of IP' s
All websites function fine, however, any site that' s hosted on Akamai web site just spins. pb.com, staples.com, officemax.com, microsoft.com
Customer made us aware as this is a new installation. Remote control of a PC at the location shows this, however when running a packet sniff, many trans-it exceeded errors during trace routes from the PC.
PW Policies work (NAT) (internal->WAN1) (internal -> WAN2)
Routes are EQLB
Pings & Trace-routes to said sites reply and finish....
Called ISP asking if they were experiencing peering issues....
Perplexed..... customer thinks it' s the firewall since its " new" .
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
27 REPLIES 27
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
So if it was bad route, would it not exist when the 2 tech came out and tested from their dslmodem? I highly doubt it' s a bad route btw.
If your not getting the SYN-ACK back, it might be that some mitigation gear/process is blocking your initial SYN request.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I am only speculating about routing. ...if the ISP was doing something on their end in regards to the 2 dsl modems.
I may get some time tonight to remote into a machine there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
This may be more deep in FGT world than meets the eye. When using 2 WAN links from 2 ISPs, try using 2 separate DNS servers. I had an installation with dual WANs where one was Verizon and the second was Cablevision. When using the Verizon DNS servers, the WAN traffic going through the Cablevision link wouldn' t flow due to VZ DNS. And the opposite held with the CV traffic and VZ DNS. I switched to third party DNS and all worked as designed. (4.2.2.1, etc...)
Also when using 2 WAN links, the FGT ' load balances' by sending odd IP addresses out WAN 1 and even IP addresses out WAN2. Not quite 100% accurate as far as traffic flow, but that' s what you seem to get. What I did was to put WAN1 and WAN2 in a zone called Internet, and just set up one instance of outgoing policies. This way, I couldn' t care less which link was up or down or what the source IP was. It just flowed. Not sure if the load was balanced evenly because I was using fail over mode.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
The dual link is same ISP. When I shipped the Fortigare wifi60c, I placed both wans in a zone called Internet exactly as you describe. When we were notified of the issue, I removed the zone.
UPDATED info....Packet Tracer:
From a PC connected behind the Fortigate. Using Chrome or any browser, www.uline.com ; output below.
FWF60C3G11011929 # diagnose debug flow filter saddr 10.212.161.77
FWF60C3G11011929 # diagnose debug flow filter dport 80
FWF60C3G11011929 # diagnose debug flow show console enable
FWF60C3G11011929 # diagnose debug flow trace start 20
FWF60C3G11011929 # id=36870 trace_id=2 msg=" vd-root received a packet(proto=6, 10.212.161.77:4382->23.60.74.100:80) from internal."
id=36870 trace_id=2 msg=" Find an existing session, id-00000ad6, original direction"
id=36870 trace_id=2 msg=" SNAT 10.212.161.77->50.122.92.211:24978"
id=36870 trace_id=3 msg=" vd-root received a packet(proto=6, 10.212.161.77:4384->23.60.74.100:80) from internal."
id=36870 trace_id=3 msg=" allocate a new session-00000af3"
id=36870 trace_id=3 msg=" find a route: gw-50.122.92.209 via wan2"
id=36870 trace_id=3 msg=" find SNAT: IP-50.122.92.211, port-60844"
id=36870 trace_id=3 msg=" Allowed by Policy-2: SNAT"
id=36870 trace_id=3 msg=" SNAT 10.212.161.77->50.122.92.211:60844"
id=36870 trace_id=4 msg=" vd-root received a packet(proto=6, 10.212.161.77:4384->23.60.74.100:80) from internal."
id=36870 trace_id=4 msg=" Find an existing session, id-00000af3, original direction"
id=36870 trace_id=4 msg=" SNAT 10.212.161.77->50.122.92.211:60844"
id=36870 trace_id=5 msg=" vd-root received a packet(proto=6, 10.212.161.77:4384->23.60.74.100:80) from internal."
id=36870 trace_id=5 msg=" Find an existing session, id-00000af3, original direction"
id=36870 trace_id=5 msg=" SNAT 10.212.161.77->50.122.92.211:60844"
id=36870 trace_id=6 msg=" vd-root received a packet(proto=6, 10.212.161.77:4382->23.60.74.100:80) from internal."
id=36870 trace_id=6 msg=" find a route: gw-50.122.92.209 via wan2"
FWF60C3G11011929 # diagnose snifferid=36870 trace_id=7 msg=" vd-root received a packet(proto=6, 10.212.161.77:4382->23.60.74.100:80) from internal."
id=36870 trace_id=7 msg=" find a route: gw-50.122.92.209 via wan2"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Have you tried creating a wide open policy for a single work station and seeing if that worked?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Logged into Fortigate, created (2) policies above Internal:LAN -> WAN1:all & WAN2:All (enable NAT)
Internal:PC -> WAN1:All (enable NAT)
Internal:PC -> WAN2:All (enable NAT)
www.msn.com
www.cnn.com
...
Browser works.
www.staples.com
www.pb.com
www.officemax.com
www.uline.com
Browser spins - times out after 10 mins.
No difference
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
...and you' re certain that the unit is using that policy? (It' s at or near the top of the policy list)
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Certain. There' s only (4) policies including the (2) just added. This is a NEW install. One PC is behind the firewall for testing the ISP DSL connections. They don' t want to switch over until we resolve this situation. I opened a ticket w/ Fortinet - waiting on a response.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I know what your problem is :)
It' s dns related and resolving the link to the CNAME. I bet you a whole dollar that' s the issue and it has nothing to do with the fwpolicy.
Can you shed light into what is the client dns-server? Also if you change dns-servers and not use the fortigate or assigned dns-servers via DHCP, does the problem exists?
For starters, I would run nslookup in debug or use dig watch the requests and if the recursive is set ( +norecurse ). But the problem is most likely dns and related to your dns-servers for the client.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
On phone w/ TAC now. Don' t think that' s it...
Used different DNS providers (Google & OpenDNS) including ISP, same result. Appears to be Akamai related only. Same result from two different PC' s, different OS behind firewall. TAC is bringing in senior TAC to assist.
Working in progress....
ISP went onsite and did the typical....works for us...must be the firewall and left.
---UPDATE---
Had the customer plug a PC directly into the DSL modem w/ configured IP from routable block and showed same symptoms. This means the ISP lied. Sigh
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- SAML Auth with Conditional Access that... 653 Views
- Issues with Web and App filter 522 Views
- Throuble accessing from https to FGT... 1040 Views
- web filter with certificate inspection error 4606 Views
- Web Filter does not work properly... 2668 Views
Labels
-
FortiGate
8,366 -
FortiClient
1,692 -
5.2
801 -
FortiManager
706 -
5.4
639 -
FortiAnalyzer
535 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
395 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
194 -
IPsec
178 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiPAM
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.