Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Deep_Banerji
New Contributor

Execute traceroute showing first and last hop 127.0.0.1 for connected subnet

I have a FortiGate 100e device in which I have taken out one LAN port and set WAN role on it. I have assigned a /30 subnet IP address to the port. The port is up and I can PING it from other zones. However, I cannot PING the remote IP address of the /30 subnet. Execute traceroute shows the only hop as 127.0.0.1. I have deployed ANY-ANY policy from LAN to the above interface but PING from LAN workstation to remote /30 IP address gets DESTINATION HOST UNREACHABLE reply from firewall. I am at my wit's end. Please help.

12 REPLIES 12
Deep_Banerji

boneyard wrote:
 

if you want to and have the time you could create a link aggregate on the FortiGate, make port16 a member of it and see if that gets a working situation. that does require removing the IP from port16, removing the firewall policy and the route. then putting them back on the link aggregate.

Tried this. Didn't work. :(

boneyard

what does the diagnose sniffer packet for the link aggregate look like?

emnoc
Esteemed Contributor III

This happens in all of my FGT that I manage. What I've notice, if the trace route is done to a "wan" or "port" interface that is not part of a virtual-switch it looks normal. If you do a trace route to a address connected to a port of a virtual-switch,  the 127.0.0.1 comes up

 

e.g 

 

MANHATTANSOUTH # diag ip arp list | grep wan index=8 ifname=wan2 xxx.xxx.1 00:1b:bc:11:43:1a state=00000004 use=61 confirm=47 update=27 ref=51

 

MANHATTANSOUTH # execute traceroute xxx.xxx.200.1 traceroute to xxx.xxx.200.1 (xxx.xxx.200.1), 32 hops max, 3 probe packets per hop, 72 byte packets 1 xxx.xxx.200.1 0.373 ms 0.330 ms 0.173 ms

 

and here's a LAN ( virtual-switch )

 

MANHATTANSOUTH # execute traceroute 10.1.1.50 traceroute to 10.1.1.50 (10.1.1.50), 32 hops max, 3 probe packets per hop, 72 byte packets 1 127.0.0.1 <gearssdk.opswat.com> 2994.351 ms !H 2999.669 ms !H 2999.987 ms !H

 

Opswat does end-point protection, so it's something in fortOS that using some protection. Fortinet is a partner of opswat. 

reference

 

[link]https://www.opswat.com/partners/fortinet[/link]

 

So if their is not problem with the connected host, I would chalk this up as cosmetic.

 

 

Just my observations.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Top Kudoed Authors