The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As we speak the default route is originated from DialTelecom: get router info routing-table bgp B* 0.0.0.0/0 [20/0] via 188.209.a.c, DialTelecom, 2d14h24mIn your setup how are you receiving routes from both upstreams ( partial, full, single default route???????????????) ? Have you validate that the network your sourcing is being sent to Euroweb? Have you queried any ripe route-servers/looking-glas for routing information? or validate that Euroweb has your 85.204.224.0/20 prefix in the route table or whatever prefix your sending? I would start at minimum with RIPE Ris http://www.ripe.net/data-tools/stats/ris/routing-information-service And validate routing information is present within the euroweb router-database.
PCNSE
NSE
StrongSwan
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
I mention that I enabled the asymetric routing:and now you disabled this, Asymetrical routing is going to be required due to the nature of your traffic and the 2 upstream uplinks, where any one of these could be the path for the returned traffic
Now on their way back they have to use the default route originated by Dial. As I disabled asymetric routing I believe it should return, but it doesn' t happen this way.Not correct, you can' t control how the internet returns traffic to YOU. Your default-route is just a catch-all for traffic leaving your network. Bottom line, does the problem going away when you have asymetrical routing enabled?
PCNSE
NSE
StrongSwan
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
PCNSE
NSE
StrongSwan
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
Packets arrive from 5 hops away on Euroweb interface with source 85..... and according to the routing table on the appliance they should leave on the other interface (DialTelecom); but they get stuck.Okay clearier ( i think ), so you have a FGT with 2 wan interfaces doing eBGP to 2 different ISP, but only receiving one default route. for all purpose since your cryptic in your ip_address information here' s my scenario; eBgp peer 188.209.1.1 -.2 ( dial telcom ) eBgp peer 77.77.1.1 -.2 ( euroweb ) note: In both cases .2 is your side or the fortigate device ip_address for wan interface 1 & 2 for the respective interfaces. So you trying to ping 77.77.1.2 and hope that the response goes back thru diatelecom? Are these assumptions correct up to this point ? Q1: Does telecom allow for distribution of provider #2 network space? Can you check a looking glass to see how the destination network looks with in that looking-glass and the as_path hops for that network? Q2:Also what happen if you ping the network ( prefix ) that your advertising to the ISP #1 & #2? ( assumption are your sending your 24 to both providers) Does that work? This could be something as simple as provider #1 & #2 don' t know about each others ( your wan interfaces addresses ) and I don' t think zone pairs are going to magically migrate packets in that shape or fashion., nor should be used in that fashion. Also intra-zone-allow doesn' t work in that fashion either, it would be for any traffic from within the zonepair e.g DialTelcom to Euroweb , or Euroweb to DialTelcom, In this case that your describing, you want to use the other wan interface ( dialteleco ) as a transient to the internet. And for the obvious make sure icmp is allow for both wan1 & 2 allowaccess. Outside of that, you have a very strange setup and scenario. if euroweb has a looking glass, i would like to see what your pings and traceroutes looking to each public address http://lg.euroweb.ro/
PCNSE
NSE
StrongSwan
The most expensive and scarce resource for man is time, paradoxically, it' s infinite.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.