Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eastehr
New Contributor II

Created on ‎07-18-2024 09:59 AM Edited on ‎07-18-2024 12:07 PM

Fortigate 60F - VLAN interface as default gateway stop responding pings from hosts.

Good morning experts. Maybe you want to help me with a problem that is killing me..?

I’m trying to configure a solution for a remote office using CISCO switches and a Fortigate 60E. Difficult to explain but that is almost fixed, no problem with that.

The problem is a behavior about how Fortigate manage VLANs in its Internal ports hard-switch:

When all infrastructure is connected, the testing host is able to ping all VLANs. But when a physical trunk link is down between two of the Cisco Switches, the testing host loses connection to its default gateway (which is the Fortigate...!) I mean that the testing host can ping 5/6 time more from the moment the link goes down and after that it loses connection and pings are not more answered until the link is reestablished.

 

I drew my infrastructure so that it is understood, I hope you can help me.

 

Technical data:

* Interfaces used: ports 1 to 5 of the Internal hardware-switch

* Five VLANs configured on it: IDs 15, 30, 35, 50, and 101.

* VLAN 50 has DHCP server configured.

* Testing host is connected to a single port on a Cisco Switch configured on VLAN50

* Cisco Switch is connected to Internal 03 port of the Fortigate.

Pls, refert to the following image:

 

** UPDATE** I have ran a debug flow diagnostic, and found the following log:

 

Packet Trace #43 2024/07/18 14:21:53 checked gnum-10000e policy-4294967295, ret-matched, act-drop

 

How to solve it..? I guess that policy is a default policy, not configurable... :(

 

Captura.JPG

 

 

Labels:
524
0 Kudos
1 Solution
eastehr
New Contributor II

Created on ‎07-19-2024 11:14 AM Edited on ‎07-19-2024 11:16 AM

I discovered the solution for myself. Im going to share it for the community: The problem wasn't in the Fortigate itself, but in the first Sw Cisco where the testing host was connected to. In that Cisco Sw the STP (Spanning Tree) was enable for VLAN 50 (Vlan used by the testing host). When I disabled it, all start to work as expected. 

 

Thank to those who had the oportunity to evaluate my problem. Regards.

View solution in original post

402
0 Kudos
3 REPLIES 3
tunolno1
New Contributor

Created on ‎07-19-2024 12:55 AM Edited on ‎07-23-2024 07:05 AM

So the WAN 10.1.128.1 that is a different machine so would not a ping from 192.168.3.2 say go through 192.168.3.1 then 10.1.128.18 then to 10.1.128.1? no ? So the Want machine would just need to know to toss it back from whence it came through .18 no https://mobdro.bio/ ?

487
0 Kudos
eastehr
New Contributor II

Created on ‎07-19-2024 03:49 AM

Im sorry tunolno1, I can't understand you reply, I never mentioned those IP addresses. But is not a routing issue at all. Thanks a lot for your support.

446
0 Kudos
eastehr
New Contributor II

Created on ‎07-19-2024 11:14 AM Edited on ‎07-19-2024 11:16 AM

I discovered the solution for myself. Im going to share it for the community: The problem wasn't in the Fortigate itself, but in the first Sw Cisco where the testing host was connected to. In that Cisco Sw the STP (Spanning Tree) was enable for VLAN 50 (Vlan used by the testing host). When I disabled it, all start to work as expected. 

 

Thank to those who had the oportunity to evaluate my problem. Regards.

403
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.