Connectivity Issue Between 2 Fortigate ?!

huud · ‎06-08-2024

Hi,

I have 2 Fortigate setup as below, and the issue as follows.

FW1 cannot ping anything on FW2. network, but FW2 can ping FW1's 10.11.30 and 10.11.40 network.

BGP is setup between the 2 and is working fine, with RouteMap and Prefix List, so traffic from 10.11.30.0 flows through port1 (192.168.9.181) and 10.11.40.0 through port2 (192.168.9.182), smae configuration is on FW2 for 10.21 network.

FW1

Routing table for VRF=0
C 10.11.30.0/24 is directly connected, VLAN30
C 10.11.40.0/24 is directly connected, VLAN40
B 10.21.30.0/24 [20/0] via 192.168.9.182 (recursive is directly connected, port1), 00:18:07, [1/0]
B 10.21.40.0/24 [20/0] via 192.168.10.182 (recursive is directly connected, port2), 00:17:40, [1/0]
C 192.168.9.0/24 is directly connected, port1
C 192.168.10.0/24 is directly connected, port2

FW2

Routing table for VRF=0
B 10.11.30.0/24 [20/0] via 192.168.9.181 (recursive is directly connected, port1), 00:18:47, [1/0]
B 10.11.40.0/24 [20/0] via 192.168.10.181 (recursive is directly connected, port2), 00:18:15, [1/0]
C 10.21.30.0/24 is directly connected, VLAN2130
C 10.21.40.0/24 is directly connected, VLAN2140
C 192.168.9.0/24 is directly connected, port1
C 192.168.10.0/24 is directly connected, port2

I ran sniffer on FW2 to capture the traffic and this is all no icmp reply

FW2 # diagnose sniffer packet any 'host 192.168.9.181' 4 0 1 interfaces=[any]
Using Original Sniffing Mode
interfaces=[any]
filters=[host 192.168.9.181]
pcap_snapshot: snaplen raised from 0 to 262144
0.696750 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
1.696916 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
2.697103 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
3.697244 port1 in 192.168.9.181 -> 10.21.30.100: icmp: echo request
4.696819 port1 in arp who-has 192.168.9.182 tell 192.168.9.181
4.696838 port1 out arp reply 192.168.9.182 is-at 00:0c:29:a3:9f:f6
25.959741 port1 in 192.168.9.181.10737 -> 192.168.9.182.179: psh 1515141430 ack 1109234650
25.959852 port1 out 192.168.9.182.179 -> 192.168.9.181.10737: ack 1515141449
26.637436 port1 out 192.168.9.182.179 -> 192.168.9.181.10737: psh 1109234650 ack 1515141449
26.638116 port1 in 192.168.9.181.10737 -> 192.168.9.182.179: ack 1109234669
30.977359 port1 out arp who-has 192.168.9.181 tell 192.168.9.182
30.977987 port1 in arp reply 192.168.9.181 is-at 00:0c:29:ef:3e:b4

The policies are the same on both.

Not sure what is going on, any thoughts ?

Thank you

ede_pfau · ‎06-09-2024

For example, you're missing VL30 > p2, if VL30 is sending traffic to VL2140. You've got only half of the required policies.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

huud · ‎06-09-2024

Appreciate everyones input..

On the same topic, unsure if I should open a different thread.

How to allow traffic for the VM behind FW1 to reach VM behind FW2, and vice versa ?

In the above only firewalls are able to reach each other.

srajeswaran · ‎06-09-2024

If you create firewall policies from VLAN interfaces to port1/port2 on both firewalls and enable source NAT, ideally this communication should work without any additional changes.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

huud · ‎06-09-2024

I did this, but VM in FW1 10.11.30/0/24 can reach FW2 10.21.30.0/24 but not 10.21.40.0, this is the same vice versa.

ede_pfau · ‎06-09-2024

So you need 4 policies per FW, at least.

Ede Kernel panic: Aiee, killing interrupt handler!

huud · ‎06-09-2024

I think I have 4 policies 2 per port..

ebilcari · ‎06-09-2024

The routes seems inserted correctly in the routing table. You will need two firewall policies on both Firewalls to allow traffic from the perspective of the host that initiates the connection where it reaches the firewall.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

huud · ‎06-09-2024

Thanks,

Is this what is being referred to as Source NAT, this in the Policy itself ?

And do I need to enable Preserve Source Port ?

ede_pfau · ‎06-09-2024

I recommend not to go this way. SNAT is poor man's routing.

That is, your routing is insufficient. NATting the traffic will conceal this and make it work but it still is incorrect.

On your VMs, is the default route (0.0.0.0/0) pointing to the FGT? If you don't want to use the default route for this, create a specific route to the remote network, with the gateway address as the address of the directly connected FGT interface. The FGT will then route the traffic to remote.

Ede Kernel panic: Aiee, killing interrupt handler!

ede_pfau · ‎06-09-2024

and to your question about "preserve source port": you supply 1 NAT address, the interface's address. What will happen if you fix the source port as well? What if you open 2 or more connections/sessions?

Ede Kernel panic: Aiee, killing interrupt handler!

ebilcari · ‎06-09-2024

This is one way of doing it (maybe the simplest one), but since you have proper routing and non overlapping destination subnets you may not use NAT at all, just allow the traffic sourced by the real IPs.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.