Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fl0at0xff
New Contributor II

Deny IP Connection error - FortiOS 5.4.1 on some model

Hello. I have the same problem (or a similar one) with Fortigate 60D / E 5.4.1 and with FortiWifi 60E. I just have lan and WAN connected, one policy to allow LAN to WAN all traffic with Log All Session enable. My devices connected to LAN interfaces are able to surf on the internet (policy and default route created). This policy rules log all sessions. In the log settings, I log all that I want on the memory and I display log from memory. But when I want to see log, I just see Deny: IP Connection Error. I can't see allowed trafic and other potential deny. This is very strange because these log entries match my unique policy "LAN to WAN".

10 REPLIES 10
sebag
New Contributor III

I have the same problema with FG200D and FG60D using 5.4.1. It's blocking Google-Web and this device (Android phone) can't download an app from Google Play. If I connect it to 4G network it download ok.

tanr
Valued Contributor II

@fl0at0xff,

 

The deny you had selected in the image was showing TCP 8013.  That's normally v5.4.1 FortiClient registration, which should only be going to the FortiGate (or EMS server).  

 

Is it only wifi clients running FortiClient that are getting denied?  

Is the SSID set up as a tunnel instead of a bridge?

If so, have you enabled FortiTelemetry for the SSID interface?

If not, that could be your problem.

If you do have FortiTelemetry enabled for the wifi tunnel, have you set up a separate wifi-tunnel to wan rule?

 

I'm going off my configuration of a FortiGate with FortiAP so it may or may not match your experience.

 

 

fl0at0xff
New Contributor II

Hello @tanr and thank you for your answer.

My problem is present with devices connected via Wifi and directly with the cable. I don't think that the problem is related to wireless. I have exactly the same problem with à fortigate 60D

 

For information, Any of my client uses Forticlient in this installation. It's really a out-of-the box problem. As I said before, I just the simple configuration showed in my initial post.

 

By the way, I don't have a lot of experience using FortiWifi. I checked tunnel mode for my wifi. It is a good idea or not ? I just use the two antenna of the fortiwifi not external AP. What is fortiTelemetry ?

 

thanks.

fl0at0xff
New Contributor II

garibaldi.sebastian@arlei.com wrote:

I have the same problema with FG200D and FG60D using 5.4.1. It's blocking Google-Web and this device (Android phone) can't download an app from Google Play. If I connect it to 4G network it download ok.

Ok and did you find a solution or not ?

tanr
Valued Contributor II

@fl0at0xff,

 

I'm not sure what you meant by "Any of my client uses FortiClient".  Instead of "Any" did you mean "All", "None", or "Some"?  If it was "None", then FortiClient issues aren't the problem.  But if not, and the logs you list are showing up with FortiClients, then turning on FortiTelemetry under "Administrative Access" for the LAN interfaces would allow the FortiClients to register with the FortiGate.  FortiTelemetry is just the new term for FortiClient communication, and its done with TCP/2013, which is what your logs show getting blocked.  That's why I was wondering about FortiClients.  BTW, you definitely DON'T want FortiTelemetry turned on for your wan interfaces.

 

If you're not using a separate AP then I'm not sure that tunnel mode would really be needed.  Normally tunnel mode (vs bridged mode) for a separate AP's SSIDs forces the traffic through a tunnel to the FortiGate so that security rules can be applied.  With a FortiWiFi you're already at the FortiGate, but I don't know if that means security rules get applied or not for a bridged WiFi interface, especially if the WiFi interface is a member of the internal switch.

 

You said your LAN_2_WAN security policy has logging set to "All Sessions" and you're logging to memory.

Have you tried "Send Logs to FortiCloud" instead?

 

Posting your lan interface config and the the LAN_2_WAN security policy would probably help narrow this down.

Or just open a ticket with support.

gbagita
New Contributor

Hello guys. Did you solved the problem?

I have a same issue. I want to RDP to a server  from the client. I have a rule, which allows this connection. When I try to connect to the server, it doesn't happen. In the log I see, the connection matched the ALLOW rule but the result is "Deny: IP connection error". I debugged the flow and saw, the server responded to the client's SYN request. I run wireshark on the client, but it didn't received the SYN packet from the server. The client has Antivirus turned off. We have FG100D with FortiOS 5.4.3.

lmccuistian

I'm seeing the same exact behavior on a brand new Fortigate 100E running 5.4.4, installed less than 2 weeks ago.  It has a pretty basic config and everything is working, except I can't anything out of the logs other than Deny: IP connection error for everything.

 

Does anyone have any other ideas that may help this issue?

TuncayBAS

Log severity is left at warning.

 

config log mem filter set severity information end

Tuncay BAS
RZK Muhendislik Turkey
FCA,FCP,FCF,FCSS
Tuncay BASRZK Muhendislik TurkeyFCA,FCP,FCF,FCSS
lmccuistian

Thank you TuncayBAS.  This was my problem.  I change the log severity to information and it seems have corrected the problem.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors