Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Netscape
New Contributor

Created on ‎11-20-2010 06:38 AM

Connection to DMZ very slow

Hi, following problem: Fortigate 80C v4.0,build0291,100824 (MR2 Patch 2) We got two ISP´s. One SDSL with 10MBit and one with 2MBit. So I configured WAN1(10MBit) and WAN2(2Mbit) with failover setting. Two Default Routes with different priority. So far so good. Now I try to connect to the Mail Server in the DMZ over telnet and port 25. I get a connection, but it´s very slow. It take about 20 seconds after i get the helo message from the mail server(same from the internet or the local lan). And I can´t connect via SSH to the server even it´s allowed. I think the connection is to slow. And to one other Server in the DMZ i can connect with WinSCP. It need´s about 25 seconds, but I get a connection. But I can´t connect to this server with ssh. Here´s a screenshot from the internal to dmz FW Policy:
Preview file
17 KB
6157
0 Kudos
6 REPLIES 6
ede_pfau
SuperUser
SuperUser

Created on ‎11-20-2010 09:18 AM

Hi, - is DNS involved? Can you reach the server via it' s IP in time? - how are the reply times for ping? - how do you access the server - via a VIP? Definition of it?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2637
0 Kudos
Netscape
New Contributor

Created on ‎11-21-2010 04:18 AM

Hi, DNS is only involved when I try it from external. But it´s allways the same. The ping is ok. From external it´s about 50ms. From internal <1ms. From external I connect via DNS name and VIP(tried also only VIP). From internal LAN I use the LAN ip address. No difference between access from external or internal. Took always about 20 seconds after the first response from server.
2637
0 Kudos
HA
Contributor

Created on ‎11-21-2010 11:56 PM

Hello, Your mail server is probably trying to resolve your hostname using DNS. Do you have the same kind of problem using SSH (after you type the username, password prompt takes a while before it appears) ? If yes, it' s a DNS issue... Regards, Hedi
2637
0 Kudos
Netscape
New Contributor

Created on ‎11-22-2010 01:10 AM

The problem is, I can´t connect using ssh. I get an connection timeout error. But I can connect to one server with WinSCP. But I can´t connect to this Server with SSH.
2637
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎11-22-2010 06:04 AM

Are you 100% sure that SSH is up and running on the server that your trying to connect to? Jump on a server within the DMZ and either ssh into the other server or telnet x.x.x.x 22 if you don' t have a client and see if you get connected. Based on the above test(s), will help you diagnose the ssh issues. also add: you do have a packet sniffer built in, so you can always run a packet trace on the dmz interface e.g diag sniffer packet dmz ' port 22'

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2637
0 Kudos
Netscape
New Contributor

Created on ‎11-24-2010 02:01 AM

I´m 100% sure that SSH is up and running. I´ve just replace the old firewall with the new. Nothing other is changed. But in cause of the error I had to change it back to our old firewall. I try it with the sniffer. But I can test it only at the weekend. So it need some to send the answer.
2637
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.