Today I faced a problem where after upgrade from 7.0.13 to 7.0.14, site to site VPN stopped working.
Traffic was received but not sent. The issue was unused/unreferenced IP pool whose address matched remote subnet for affected VPN tunnel. It was there since 6.4.10 and survived about 5-6 upgrades thus far.
Fortinet TAC located and it asked me to remove it and poof - issue resolved.
I did know that DNAT statements do need to be referenced anywhere in order to be used when Central SNAT is enabled but did not know the same goes for NAT/IP Pools.
So, lesson is to remove unused IP Pools.
Unrelated: after upgrade to 7.0.14 - Hit Count is very moody on DNAT policies and firewall policies where destination address is a loopback interface. On some DNATs it works, on some it doesn't. I did verify that DNATs are being hit (working) for those that show "0" hits.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.