- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate Intermittent Ping
First of all, I am inheriting this network and I believe this to be setup incorrectly however I've never seen someone try to do it this way. I have a two site-to-site fortigates with a switch behind each. I am getting inconsistent pings to the far switch. The far fortigate is also getting intermittent pings to its switch (they are connected via copper which has been swapped out). The LAN interface is set to 192.168.0.1 and the switch's Management interface is set to 192.168.0.2. Under the FG's LAN interface are SVIs for the various vlans on the switch. It seems to me that the problem is likely that the OOB mgmt interface is being used or is there something on the FG side that I should look at?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you’re dealing with a complex and possibly misconfigured network setup. Based on the description, here are some points to consider and investigate to pinpoint the issue and improve the setup:
1. Diagnose the Inconsistent Pings
- Check Physical Layer: You've already swapped the copper cable, which is good. Also, ensure that the switch port and FortiGate port where the cable connects are not experiencing errors (check for CRC errors, dropped packets, or excessive retransmissions).
- On FortiGate: Use diagnose hardware deviceinfo nic <interface> or check logs for link errors.
- On the switch: Check interface statistics for errors or flapping.
- OOB Management Best Practices:
- Use a dedicated VLAN or subnet for the switch’s management interface, separate from the FortiGate LAN (e.g., 192.168.1.x for management).
- Ensure that the management traffic is not being routed through the FortiGate unless explicitly required.
- If the management interface is not reachable, verify if the switch has default gateway and routing configurations pointing to the correct path. Monitor Latency: Use a tool to continuously monitor latency to identify patterns ( Here are., spikes at specific times) and correlate them with other network activities.
2. Check Management Interface Configuration
It sounds like the management interface of the switch (192.168.0.2) might be causing routing or traffic issues if it's using the same subnet as the FortiGate LAN interface (192.168.0.1). This can create an IP conflict or asymmetric routing issue:
- OOB Management Best Practices:
7. Potential Causes of the Problem
- Layer 1 Issues: Intermittent cable, bad port, or auto-negotiation mismatches (force speed/duplex settings if necessary).
- IP Address Conflict: Using the same subnet for the FortiGate LAN interface and the switch’s management interface can cause routing loops or packet drops.
- VLAN Mismatch: Incorrect VLAN configuration or untagged traffic on a trunk port.
- Firewall Rules: Misconfigured or missing policies on the FortiGate for allowing traffic to the management subnet.
- Routing Issues: Incorrect gateway or static route configurations on the far switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you’re dealing with a complex and possibly misconfigured network setup. Based on the description, here are some points to consider and investigate to pinpoint the issue and improve the setup:
1. Diagnose the Inconsistent Pings
- Check Physical Layer: You've already swapped the copper cable, which is good. Also, ensure that the switch port and FortiGate port where the cable connects are not experiencing errors (check for CRC errors, dropped packets, or excessive retransmissions).
- On FortiGate: Use diagnose hardware deviceinfo nic <interface> or check logs for link errors.
- On the switch: Check interface statistics for errors or flapping.
- OOB Management Best Practices:
- Use a dedicated VLAN or subnet for the switch’s management interface, separate from the FortiGate LAN (e.g., 192.168.1.x for management).
- Ensure that the management traffic is not being routed through the FortiGate unless explicitly required.
- If the management interface is not reachable, verify if the switch has default gateway and routing configurations pointing to the correct path. Monitor Latency: Use a tool to continuously monitor latency to identify patterns ( Here are., spikes at specific times) and correlate them with other network activities.
2. Check Management Interface Configuration
It sounds like the management interface of the switch (192.168.0.2) might be causing routing or traffic issues if it's using the same subnet as the FortiGate LAN interface (192.168.0.1). This can create an IP conflict or asymmetric routing issue:
- OOB Management Best Practices:
7. Potential Causes of the Problem
- Layer 1 Issues: Intermittent cable, bad port, or auto-negotiation mismatches (force speed/duplex settings if necessary).
- IP Address Conflict: Using the same subnet for the FortiGate LAN interface and the switch’s management interface can cause routing loops or packet drops.
- VLAN Mismatch: Incorrect VLAN configuration or untagged traffic on a trunk port.
- Firewall Rules: Misconfigured or missing policies on the FortiGate for allowing traffic to the management subnet.
- Routing Issues: Incorrect gateway or static route configurations on the far switch.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, the management interface was using the same subnet as the LAN interface on the Fortigate. The LAN on FG also had the trunk port of the switch. I unplugged the management interface and moved the subnet to a new vlan on the switch. Then set that vlan as the untagged vlan on the trunk interface and it seems to have completely resolved the issue.
