- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- DMZ - IP Address conflict!
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 06-15-2007 11:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DMZ - IP Address conflict!
I can' t figure this out.
I have Fortigate-60 (firmware 413 - build8424) and have DMZ interface configured with the address 192.168.10.1/255.255.255.0.
I have a PC directly connected to the DMZ port with a static address 192.168.10.10/255.255.255.0.
For some reason, the PC will not connect to the network. Windows complains that there is an IP address conflict with another system on the network. Checking the logs on the PC and it shows the conflict is with the DMZ interface. ( I can tell by the MAC address.)
Am I missing something here?????
Any suggestions at all are appreciated.
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have seen similar problems a long time ago on Windows 95 machines. The NIC card had to be removed an re installed (electronically, not physically). If you change the IP address, and the conflict message comes up with the new IP address as well, it' s probably a Windows problem. Try to reinstall and connect again.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Not applicable
Created on 06-15-2007 12:22 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bob - thanks for the suggestion.
I did try with different addresses:
DMZ - 192.168.56.1
PC - 192.168.56.10
Same result.
I just discovered the packet sniffer in the Fortigate unit. I turned it on to sniff all packets on the DMZ port. Then I disabled and enabled the NIC on the PC.
---- sniffer output ---
342.536080 arp who-has 192.168.56.10 tell 192.168.56.10
342.536138 arp reply 192.168.56.10 is-at 0:9:f:b:90:3d
----- --------
This is the weird part - the MAC address listed (0:9:f:b:90:3d) is the DMZ port. Why does the DMZ port think that it has the .10 address???
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try another PC. See if the problem stays there with the FGT.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something is corrupt on that PC. Notice on your packet sniff that 192.168.56.10 is asking who-has 192.168.56.10? Why would a device ask for the MAC address of itself?
FCSE > FCNSP 2.8 > FCNSP 3.0
(Former) FCT
FCSE > FCNSP 2.8 > FCNSP 3.0 (Former) FCT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ORIGINAL: Fireshield Something is corrupt on that PC. Notice on your packet sniff that 192.168.56.10 is asking who-has 192.168.56.10? Why would a device ask for the MAC address of itself?I doubt it would be the PC doing the arp reply, thats most likely the firewall causingt this, try another pc. Do you have the pc directly connected to the dmz port? or with a switch in between? if the latter any other devices connected? do you have the firewall in NAT mode or Transparent mode? otherwise as ede_pfau asked what about DHCP/VIPS? something fishy here.... very odd ...
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 06-15-2007 12:47 PM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point, Fireshield.
Thanks for your comments, gents.
I am going to try with a different PC and see if the results differ...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- You' re 100% sure you didn' t mis-type one of the addresses? One can mix up .1 and .10 easily.
- Another idea: do you have any proxy IDs or VIPs configured?
- Do you have a DHCP server configured on the DMZ interface?
BTW, what is the other network the FGT is connected to?
- Ede
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just thought of a couple of other things;,
Check you havent got an VIP " IP POOL" in use on the DMZ interface?
Check you havent got a VIP using the DMZ interface (like an 0.0.0.0 entry)
and you have rebooted the firewall since changing the ip, havent you?
Run the command " get system arp" and print the results here as well.
The first one in the list above would be the most possible problem.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 06-19-2007 08:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestions!
I double-checked the IP addresses to make sure it wasn' t just a typo causing all the problems. In fact, I replaced all the addresses with a new set and still had the conflict
DHCP server is not active on the FG-60. No proxy IDs are configured. One VIP is configured for doing address translation from Internet to DMZ.
The FG-60 is connected to the Internet via wan1 to a Cisco router. The corporate network is connected via internal port to an HP switch. The DMZ has only one machine connected to it - and it is directly connected to the DMZ port.
I ran the command ' get system arp' . Here is the output:
FGT-602904402748 # get system arp
Address Age(min) Hardware Addr Interface
192.168.2.1 0 00:c0:9f:2a:fd:f2 internal
192.168.2.5 0 00:11:20:4c:bf:42 internal
192.168.2.6 1 00:12:d9:17:86:1e internal
192.168.2.49 0 00:19:30:dd:9c:c4 internal
192.168.2.55 0 00:0f:ea:78:de:70 internal
192.168.2.57 5 00:15:f2:4c:90:86 internal
192.168.2.88 0 00:80:5f:9f:68:6a internal
192.168.2.100 0 00:16:36:36:18:ff internal
192.168.2.101 0 00:c0:a8:8b:bb:77 internal
192.168.2.102 6 00:16:36:71:7a:2e internal
192.168.2.104 0 00:17:08:5e:e2:9d internal
192.168.2.105 2 00:16:cb:a3:7d:3c internal
192.168.2.107 0 00:17:08:5f:1e:b6 internal
192.168.2.109 0 00:0f:b0:86:be:c9 internal
192.168.2.111 0 00:11:d8:6a:b2:f6 internal
192.168.2.113 0 00:c0:9f:8b:27:a7 internal
192.168.2.115 0 00:0a:e4:a0:40:b0 internal
192.168.2.117 4 00:0e:a6:80:2a:48 internal
192.168.2.118 0 00:15:f2:45:34:85 internal
207.236.146.241 0 00:02:16:de:36:41 wan1
I notice that the DMZ doesn' t report its address! That' s not right, is it?
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How can I provide a different... 99 Views
- What da heck is going on... 197 Views
- Fortigate using proxy to update fortigurad... 203 Views
- zScaler VPN with dynamic ip 94 Views
- FortiManager-Add device by pre shared key 143 Views
Labels
-
FortiGate
7,099 -
FortiClient
1,399 -
5.2
801 -
5.4
639 -
FortiManager
615 -
FortiAnalyzer
449 -
6.0
416 -
FortiAP
373 -
FortiSwitch
368 -
5.6
362 -
FortiClient EMS
288 -
FortiMail
276 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
6.4
128 -
FortiNAC
124 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
100 -
FortiGateCloud
95 -
FortiSIEM
92 -
FortiCloud Products
88 -
FortiToken
76 -
Customer Service
71 -
Wireless Controller
64 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
47 -
FortiADC
45 -
Fortivoice
44 -
FortiEDR
43 -
FortiDNS
38 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiAuthenticator
34 -
FortiSandbox
33 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
Interface
17 -
VDOM
17 -
Routing
15 -
FortiMonitor
14 -
Authentication
14 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
Logging
14 -
FortiDDoS
13 -
RADIUS
12 -
FortiCASB
12 -
NAT
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSL SSH inspection
10 -
SSO
10 -
Application control
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
FortiAP profile
6 -
OSPF
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
FortiPAM
5 -
Automation
5 -
trunk
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Port policy
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
3.6
4 -
FortiScan
4 -
Web rating
4 -
Intrusion prevention
4 -
FortiDeceptor
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
DLP sensor
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
Netflow
2 -
FortiInsight
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
DLP Dictionary
2 -
VoIP profile
2 -
DLP profile
2 -
Fabric connector
2 -
Multicast policy
1 -
4.0MR1
1 -
Zone
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1054 | |
| 872 | |
| 521 | |
| 441 | |
| 146 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.