Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Daniel_RCE
New Contributor

FG300C - duplicated IP Address on network

I´m installing a FG300C and found some problem here. Every time I try to connect a device - a PC- in one of the FG´s interface, my machine receives a message of duplicate IP address on the network. For example: the FG´s Port1 has a IP address of 192.168.12.15/24, and when I put a static IP address 192.168.12.100/24 on my laptop, I receive a message from " duplicate ip address" on the network. Using Wireshark, I can see the FG´s mac address sending this message. This FG where running in HA mode, and I disabled it. Is there any config that can cause this? When I do a Factory reset and use the default configuration - 192.168.1.0/24 network - the problem do not happens.
Lauck, Daniel Rodrigo
Lauck, Daniel Rodrigo
7 REPLIES 7
ede_pfau
Esteemed Contributor III

hi, and welcome to the forums. Most probably the setup of the interface IP address is incorrect. Can you post the details please? Second, are you running a DHCP server on the ' internal' interface?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Daniel_RCE

Hi, Follow the interface config. I Posted also the VIPs and other configs that may be helpfull. We have no DHCP server enable on the FortiGate. I was using a HA (for test purposes), but I disable the HA soon as a detected this problem. I guess can be some " garbage" on the config, is it possible? config system interface edit " port1" set vdom " root" set ip 192.168.12.16 255.255.255.0 set allowaccess ping https ssh set type physical set alias " Scorpius - eth0" set secondary-IP enable config secondaryip edit 1 set ip 192.168.12.15 255.255.255.0 set allowaccess ping next edit 2 set ip 192.168.12.31 255.255.255.0 set allowaccess ping next edit 3 set ip 192.168.12.5 255.255.255.0 set allowaccess ping next edit 4 set ip 192.168.12.6 255.255.255.0 set allowaccess ping next end next edit " port2" set vdom " root" set ip 192.168.100.200 255.255.255.0 set allowaccess ping https set type physical set description " DMZ servidores." set alias " Scorpius - eth1" set secondary-IP enable config secondaryip edit 1 set ip 192.168.100.1 255.255.255.0 set allowaccess ping https next edit 2 set ip 192.160.100.2 255.255.255.0 set allowaccess ping next end next edit " port3" set vdom " root" set ip 1XX.X.60.3 255.255.255.240 set type physical set alias " Scorpius - eth2" set secondary-IP enable config secondaryip edit 1 set ip 1XX.X.60.4 255.255.255.240 next edit 2 set ip 1XX.X.60.5 255.255.255.240 next edit 3 set ip 1XX.X.60.2 255.255.255.240 next edit 4 set ip 1XX.X.60.6 255.255.255.240 next edit 5 set ip 1XX.X.60.7 255.255.255.240 next edit 6 set ip 1XX.X.60.8 255.255.255.240 next edit 7 set ip 1XX.X.60.9 255.255.255.240 next edit 8 set ip 1XX.X.60.11 255.255.255.240 next edit 9 set ip 1XX.X.60.12 255.255.255.240 next edit 10 set ip 1XX.X.60.13 255.255.255.240 next end next edit " port4" set vdom " root" set ip 172.16.15.2 255.255.255.0 set allowaccess ping https fgfm set type physical set description " DMZ PegCred" set alias " Scorpius - eth4" set secondary-IP enable config secondaryip edit 1 set ip 172.16.15.1 255.255.255.0 next end next edit " port5" set vdom " root" set ip 172.52.1.5 255.255.255.0 set allowaccess ping set type physical set alias " Serpens - eth1" set secondary-IP enable config secondaryip edit 1 set ip 172.52.1.21 255.255.255.0 set allowaccess ping next edit 2 set ip 172.52.1.22 255.255.255.0 set allowaccess ping next edit 3 set ip 172.52.1.23 255.255.255.0 set allowaccess ping next edit 4 set ip 172.52.1.31 255.255.255.0 set allowaccess ping next end next edit " port6" set vdom " root" set ip 2XX.XXX.XX7.142 255.255.255.240 set type physical set alias " Serpens - eth2" set secondary-IP enable config secondaryip edit 1 set ip 2XX.XXX.XX7.141 255.255.255.240 next end next edit " port7" set vdom " root" set ip 192.168.101.1 255.255.255.0 set type physical set alias " Serpens - eth4" set secondary-IP enable config secondaryip edit 1 set ip 192.168.101.5 255.255.255.0 set allowaccess ping next edit 2 set ip 192.168.101.22 255.255.255.0 set allowaccess ping next end next edit " port8" set vdom " root" set ip 192.168.102.21 255.255.255.0 set allowaccess ping set type physical set alias " Serpens - eth5" next edit " port9" set vdom " root" set type physical next edit " port10" set vdom " root" set type physical next edit " modem" set vdom " root" set mode pppoe set type physical next edit " ssl.root" set vdom " root" set type tunnel next end *************** VIPs********************* config firewall ippool edit " ADDR_1XX.X.XX.2" set endip 1XX.X.XX.2 set startip 1XX.X.XX.2 next edit " addr_rede_192_168_0" set endip 192.168.255.255 set startip 192.168.0.0 next edit " addr_rede_172_16_0" set endip 172.16.255.255 set startip 172.16.0.1 next edit " addr_dns1_externo" set endip 1XX.X.XX.7 set startip 1XX.X.XX.7 next edit " addr_dns2_externo" set endip 2XX.XXX.XX7.141 set startip 2XX.XXX.XX7.141 next edit " addr_dns3_externo" set endip 1XX.X.XX.8 set startip 1XX.X.XX.8 next edit " addr_dns4_externo" set endip 2XX.XXX.XX7.142 set startip 2XX.XXX.XX7.142 next edit " addr_ac_gateway_externo" set endip 1XX.X.XX.9 set startip 1XX.X.XX.9 next edit " addr_antispam_externo" set endip 1XX.X.XX.5 set startip 1XX.X.XX.5 next edit " addr_email_externo" set endip 192.168.101.21 set startip 192.168.101.21 next edit " addr_redecard_externo" set endip 192.168.102.21 set startip 192.168.102.21 next edit " addr_redecard_externo2" set endip 192.168.101.22 set startip 192.168.101.22 next edit " addr_cielo_externo" set endip 172.52.1.21 set startip 172.52.1.21 next edit " addr_ctg_homologacao_externo" set endip 172.52.1.33 set startip 172.52.1.33 next edit " addr_ctg_producao_externo" set endip 172.52.1.31 set startip 172.52.1.31 next end config firewall vip edit " DNAT SMTP" set extip 1XX.X.XX.5 set extintf " port3" set portforward enable set mappedip 192.168.100.21 set extport 25 set mappedport 25 next edit " DNAT Access Gateway porta 443" set extip 1XX.X.XX.9 set extintf " port3" set portforward enable set mappedip 192.168.100.10 set extport 443 set mappedport 443 next edit " DNAT Access Gateway porta 80" set extip 1XX.X.XX.9 set extintf " port3" set portforward enable set mappedip 192.168.100.10 set extport 80 set mappedport 80 next edit " DNAT DNS1 tcp" set extip 1XX.X.XX.7 set extintf " port3" set portforward enable set mappedip 192.168.100.18 set extport 53 set mappedport 53 next edit " DNAT DNS1 udp" set extip 1XX.X.XX.7 set extintf " port3" set portforward enable set mappedip 192.168.100.18 set protocol udp set extport 53 set mappedport 53 next edit " DNAT DNS3 tcp" set extip 1XX.X.XX.8 set extintf " port3" set portforward enable set mappedip 192.168.100.30 set extport 53 set mappedport 53 next edit " DNAT DNS3 udp" set extip 1XX.X.XX.8 set extintf " port3" set portforward enable set mappedip 192.168.100.30 set protocol udp set extport 53 set mappedport 53 next edit " DNAT DNS2 tcp" set extip 2XX.XXX.XX7.141 set extintf " port6" set portforward enable set mappedip 192.168.100.19 set extport 53 set mappedport 53 next edit " DNAT DNS2 udp" set extip 2XX.XXX.XX7.141 set extintf " port6" set portforward enable set mappedip 192.168.100.19 set protocol udp set extport 53 set mappedport 53 next edit " DNAT DNS4 tcp" set extip 2XX.XX.XX7.142 set extintf " port6" set portforward enable set mappedip 192.168.100.31 set extport 53 set mappedport 53 next edit " DNAT DNS4 udp" set extip 2XX.XXX.XX7.142 set extintf " port6" set portforward enable set mappedip 192.168.100.31 set protocol udp set extport 53 set mappedport 53 next edit " DNAT Owa 80" set extip 18X.X.XX.2 set extintf " port3" set portforward enable set mappedip 192.168.10.65 set extport 80 set mappedport 80 next edit " DNAT Owa 443" set extip 1XX.X.XX.2 set extintf " port3" set portforward enable set mappedip 192.168.10.65 set extport 443 set mappedport 443 next edit " DNAT Redecard" set extip 192.168.102.21 set extintf " port8" set portforward enable set mappedip 192.168.12.58 set extport 1364 set mappedport 1364 next edit " DNAT Redecard2" set extip 192.168.101.22 set extintf " port7" set mappedip 192.168.10.79 next edit " DNAT Cielo" set extip 172.52.1.21 set extintf " port5" set portforward enable set mappedip 192.168.12.58 set extport 1364 set mappedport 1364 next edit " DNAT Email" set extip 2XX.XXX.XX7.142 set extintf " port6" set portforward enable set mappedip 192.168.101.21 set extport 25 set mappedport 25 next end
Lauck, Daniel Rodrigo
Lauck, Daniel Rodrigo
ede_pfau
Esteemed Contributor III

Three hints: 1. You really like secondary IPs! Usually you try to avoid them if you can. They pose a security risk, they are not visible enough during administration so that they can cause ' side effects' quickly. When I see that you not only have 1 or 2 but dozens of secondary IPs I think that you misunderstand the concept. What are you trying to achieve with defining these secondary addresses? 2. Your IP pool config is incorrect. If you define the range e.g. 192.168.0.0-192.168.255.255 then the FGT will have to respond to EVERY address in the 192.168 address space. Poor FGT! So, you may not include a ' 255' byte, and no ' 0' in the host address part. For example, 192.168.X.1 - 192.168.X.254 is completely acceptable. This is the cause of your ' duplicate address' error on the LAN. 3. If you use so many VIPs to have external hosts contact your internal servers, even for DNS (shudder!), then you can make your policy table a bit more compact by using VIP groups. Put all VIPs for one server into a VIP group, write the policy with that VIP group as destination and put all services mentioned into the ' service' field. That will give just you one policy per server. But really, I would think twice if I REALLY needed so many holes in the firewall. From a security perspecitve this is a nightmare. HTH.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Daniel_RCE

Hi, First of all, thanks for the help. In fact this scenario is already running on a Linux/iptables environment, on 3 Linux firewalls, and the plan is change the Linux to a Fortigate solution. The secondary IP addresses are being used in linux, among the 3 firewalls, due this it´s config on FG. To avoid them, I´ll ask to the customer to change some routes on his layer 3 switch. Thanks for the help, I´ll change this configs and check the results, especially those related to Ip pools. This monday I´ll return the results!!! Thanks in advance!
Lauck, Daniel Rodrigo
Lauck, Daniel Rodrigo
ede_pfau
Esteemed Contributor III

That was my impression right from the beginning, that you transfered an existing FW config unto the FGT. IMHO firewall design should be clear cut, minimal and deterministic. With so many holes in the shield you' ll have a hard time. But, with a decent FGT like the 300C, you also have a chance to rework the design over time. The thing with the secondary addresses is this: as soon as you define one, the FGT will create a (directly connected) route for it. If you only need the routes it' s easier and much more transparent to create them statically on the FGT, instead of creating secondary addresses and getting the routes as a side effect. If you look at the routing monitor you' ll see all those routes. They are in fact needed. The FGT will silently discard any traffic that is from or to an unknown subnet. Even WAN traffic would be discarded if it wasn' t for the default route. This is a security feature named Reverse Path Check (or the like). The difference between secondary addresses and static routes is that you can address the FGT directly with a secondary address. It is directly involved in this traffic in Layer 2, something that you would not want to have if unnecessary. Good luck next week (I' ll have a couple of days off).

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Daniel_RCE

Dear all. Problem was solved! The firewall is up and running. The problem was the IPPool created with the 192.168.0.0/16 network ( huge mistake). The objective was the creation of a firewall address with this network, no a IPPool. I also deleted the IP secondarys and fixed minor mistakes. Thanks to " EDE_PFAU" , his tips opened my eyes to this mistake. Daniel
Lauck, Daniel Rodrigo
Lauck, Daniel Rodrigo
ede_pfau
Esteemed Contributor III

Glad I could help. Enjoy!

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors