Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
calla
New Contributor

Central SNAT and IP Pool

Today I faced a problem where after upgrade from 7.0.13 to 7.0.14, site to site VPN stopped working.

Traffic was received but not sent. The issue was unused/unreferenced IP pool whose address matched remote subnet for affected VPN tunnel. It was there since 6.4.10 and survived about 5-6 upgrades thus far.

Fortinet TAC located and it asked me to remove it and poof - issue resolved.

I did know that DNAT statements do need to be referenced anywhere in order to be used when Central SNAT is enabled but did not know the same goes for NAT/IP Pools.

So, lesson is to remove unused IP Pools.

Unrelated: after upgrade to 7.0.14 - Hit Count is very moody on DNAT policies and firewall policies where destination address is a loopback interface. On some DNATs it works, on some it doesn't. I did verify that DNATs are being hit (working) for those that show "0" hits.

https://19216811.cam/ https://1921681001.id/
1 REPLY 1
AEK
SuperUser
SuperUser

AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors