Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
R_007
New Contributor

Fortigate 60F: Clients Lose Internet Despite Firewall Ping Success

Hi,
We are using a Fortigate 60F firewall and we have recently experienced internet unavilability issue which was automatically solved with a firewall restart in one case. Our setup includes four internet connections from different ISP's . We have SD-WAN rules for certain websites /services and some PC's are included in policy route rule so that they always use specific WAN interfaces.

 

The first time the issue occurred was , we had configured the firewall in Performace SLA to ping an IP such as 8.8.8.8. This Performace SLA rule would ping the mentioned IP from each internet interface to monitor its health for SD-WAN balancing. If the IP is unpingable from certain WAN interface then it makes the link as inactive. However, while the firewall was able to ping 8.8.8.8, the client PCs had no internet access.

On the client PC's which are included in Policy route we have added 2 ping automation tasks , one for 8.8.8.8 and another to ping google.com . The logs from those PC's had no request timeout for 8.8.8.8 ping , while it showed request timeouts for google.com on the same day, time and PC. We restarted the firewall but the issue was not solved. Eventually it got auto-resolved after we removed some WAN conenctions from Firewall and connected it to our network, in the same time we changed the IP address of Firewall so that the same IP could be added to removed WAN connection router for users to access internet . Later we checked the firewall internets it was working .

 

The second time it happened, we had set the firewall to ping google.com instead of 8.8.8.8 in the Performace SLA tab. When the issue occurred, the PCs using policy routes maintained internet connectivity without problems, but those configured with SD-WAN rules and Other clients who do not match the Policy route rules had no internet. Restarting the firewall resolved the issue this time.
But in this case at 4:39 AM all the WAN connection interfaces were made as down by the Firewall since it could not access google.com from those WAN's. But PC's mentioned in policy route were not affected with internet problem as we checked the ping logs and we did not find any request timeouts.

 

The problem seems very random, and None of the 4 internets had any issues as confirmed by the ISP's and we would like to know if anyone else has experienced the same issue or has suggestions on how to address it.

 

Any input is greatly appreciated.
Thank you.

6 REPLIES 6
funkylicious
SuperUser
SuperUser

hi,

any recent updates on the FortiGate of the FortiOS ? what firmware are you running on it ?

"jack of all trades, master of none"
"jack of all trades, master of none"
R_007

We are currently running v7.2.11 build 1740 ( Mature ) in Fortigate 60F.

NotMine
Contributor II

SD-WAN can go wrong in so many ways. But I would first check the DNS... What DNS servers are you using on the FortiGate and on the clients?

 

Also, can you describe/post the configuration of your Performance SLA rule(s) and SD-WAN Rule(s)?

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
R_007
New Contributor

DNS values are used as 8.8.8.8 and 8.8.4.4 in System DNS of Fortigate. For the clients we have DC IP addresses , followed by 8.8.8.8 and 8.8.4.4 .

We have set Performance SLA rule(s) and SD-WAN Rules(s) as following:
firewall # show system sdwan
config system sdwan
set status enable
set load-balance-mode weight-based
config zone
edit "virtual-wan-link"
next
end
config members
edit 2
set interface "wan2"
set gateway 192.168.x.x
set priority 5
next
edit 4
set interface "internal5"
set gateway 192.168.x.x
set weight 3
next
edit 5
set interface "internal4"
set gateway 192.168.x.x
set weight 3
next
edit 6
set interface "internal3"
set gateway 192.168.x.x
set weight 2
set priority 2
next
edit 7
set interface "internal2"
set gateway 192.168.x.x
set priority 4
next
end
config health-check
edit "Test_Firewall_rule"
set server "cloudflare.com" "www.google.co.in"
set protocol http
set failtime 12
set recoverytime 4
set members 7 4 6 2 5
next
end
config service
edit 1
set name "forum_StaticIP"
set dst "Forum Access"
set src "all"
set priority-members 6 4 5
next
edit 2
set name "Servers-Whitelist"
set dst "Servers List"
set src "all"
set priority-members 4 5 6 7
next
edit 9
set name "Traces_site"
set dst "Traces_sites"
set src "all"
set priority-members 2 6 5
next
edit 7
set name "VPC_test1_nonstatic"
set dst "all"
set src "VPC-Test1 IP"
set priority-members 2
next
edit 10
set name "Other_Server_LoadBalence"
set dst "all"
set src "PC135 ip" "PC88 IP" "vpc_cloud"
set priority-members 4 5 6
next
edit 11
set name "PCs_Load_Balance"
set dst "all"
set src "PC101" "PC40" "PC97" "PC138"
set priority-members 4 5 6
next
edit 12
set name "SMS_API_rule"
set dst "all"
set src "PC163 ip" "PC12ip" "PC110 IP"
set priority-members 4 5 6
next
edit 13
set name "Load_Balance"
set dst "Test"
set src "all"
set priority-members 5 6
next
end
end

NotMine
Contributor II

Oh, one more question - very important: what FortiOS version are you using on your FGT-60F?

NSE 7

All oppinions/statements written here are my own.

NSE 7 All oppinions/statements written here are my own.
R_007
New Contributor

We are currently running v7.2.11 build 1740 ( Mature ) in FortiGate 60F.

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors