Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Fortigate Internal traffic Problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate Internal traffic Problem
Hi All
I have a really strange issue at my remote office.
Basically I have a FortiWifi-40c V5.2.2 with a pretty basic configuration:
WAN1 -> Router
Internal1 -> LAN Switch
Internal 5 -> Workshop switch
We have an IPSEC tunnel up to our Head Office.
The issues we are having is that when I plug a device into the LAN (My laptop for example), I fail to get any internet breakout. After investigating, I found that the machine kept getting and IP from our local windows DHCP server, but then it would loose the IP and try and renew again (This will carry on in a constant loop). If i get on to the windows server, the DHCP adress leases get full of "BAD_Request" objects. Looking through the event logs on the windows server came back with no errors being logged.
Now the interesting this is... When I unplug the Fortigate, bam...I get a DHCP address. I then plug the Fortigate back in to the LAN switch and I can browse and access various resources.
Another interesting fact is that when connecting to the wireless on the Fortigate, I get an IP and can browse, access network resources etc, except for one thing... The branch printer (A small simple HP malfunction). I can ping the printer, but cannot print, scan or access it's web interface.
It's almost as if the Fortigate is killing internal traffic somehow. We have this same device and a very similar setup at some of our clients and have no issues.
Yesterday I factoried the Fortigate and re-built the config from scratch, but still the issues persists. I'm pretty sure the issue started after the 5.2 upgrade, but I am unfortunately not 100% sure as most devices are wired and have never been disconnected and connected back to the network.
Today I had a look through the switch config and could not find any issues there either (Also very basic) - None the less, I firmwared the switch to the latest version in case.
Any assistance/guidance would be greatly appreciated. I would prefer avoiding a downgrade of the FortiOS if possible.
Regards
FCNSA
FCNSP
FCWS
NSE5
NSE7
Solved! Go to Solution.
FCNSA
FCNSP
FCWS
NSE5
NSE7
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again
OK so I've narrowed it down even further...
After reading through this post http://community.spiceworks.com/topic/366137-dhcp-bad_address-yes-i-ve-searched-other-topics right at the end there is a mention of device tracking. This prompted me to check if detect and identify devices was enabled on any of the interfaces. I had only checked the softswitch interface...I had a look at the SSID interface and found that this was enabled. I disabled this and added the SSID back to the softswitch and all is still working!
While I do not require the detect device feature on the internal network, i am still curious to know if there is any way to have this enabled. I tried enabling this on the softswitch interface only and DHCP broke again...
Anyhow, at least it's working!
I hope this helps others with the same issue.
Thanks again for everyone's assistance on this! Much appreciated!
FCNSA
FCNSP
FCWS
NSE5
NSE7
FCNSA
FCNSP
FCWS
NSE5
NSE7
- « Previous
-
- 1
- 2
- Next »
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again
OK so I've narrowed it down even further...
After reading through this post http://community.spiceworks.com/topic/366137-dhcp-bad_address-yes-i-ve-searched-other-topics right at the end there is a mention of device tracking. This prompted me to check if detect and identify devices was enabled on any of the interfaces. I had only checked the softswitch interface...I had a look at the SSID interface and found that this was enabled. I disabled this and added the SSID back to the softswitch and all is still working!
While I do not require the detect device feature on the internal network, i am still curious to know if there is any way to have this enabled. I tried enabling this on the softswitch interface only and DHCP broke again...
Anyhow, at least it's working!
I hope this helps others with the same issue.
Thanks again for everyone's assistance on this! Much appreciated!
FCNSA
FCNSP
FCWS
NSE5
NSE7
FCNSA
FCNSP
FCWS
NSE5
NSE7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unchecking detect and identify devices solved the DHCP/BAD_ADDRESS in my lab environment as well on firmware 5.2.3.
Thanks for the post!
Jordan Welsh
Sales Engineer
23403 E. Mission Ave. #121
Liberty Lake, WA 99019
D 509.688.2586
W http://www.tierpoint.com/
Facilities in: Baltimore, Dallas, Oklahoma City,
Philadelphia, Seattle, Spokane, Tulsa
Jordan Welsh Sales Engineer 23403 E. Mission Ave. #121 Liberty Lake, WA
99019 D 509.688.2586 W http://www.tierpoint.com/ Facilities in:
Baltimore, Dallas, Oklahoma City, Philadelphia, Seattle, Spokane, Tulsa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I've also this DHCP issue "BAD_ADDRESS". DHCP fills with "BAD_ADDRESS" entries. My FortiWiFi has FortiOS 5.2.3 installed. LAN and WLAN are connected through a softswitch. I checked the setting for device identification but this setting is disabled on all my interfaces. When i delete the softswitch and configure WLAN and LAN to be in separate subnets, everything is working fine. Switching back to softswitch configuration will cause DHCP to be filled with BAD_ADDRESS entries. Does anybody have an idea what happen here?
Regards Christoph
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Christoph Schneider wrote:I also found this to be an issue on a 90D, completely making their network useless for any new devices which needed an IP address. I'm thinking it would start when a user was connected with WiFi, then plugged into wired connection at his desk. "Detect devices" on the interfaces was not enabled on the soft switch or the WiFi SSID.Hi all,
I've also this DHCP issue "BAD_ADDRESS". DHCP fills with "BAD_ADDRESS" entries. My FortiWiFi has FortiOS 5.2.3 installed. LAN and WLAN are connected through a softswitch. I checked the setting for device identification but this setting is disabled on all my interfaces. When i delete the softswitch and configure WLAN and LAN to be in separate subnets, everything is working fine. Switching back to softswitch configuration will cause DHCP to be filled with BAD_ADDRESS entries. Does anybody have an idea what happen here?
Regards Christoph
Removing the WiFi SSID from the soft switch and problem would go away, but not an ideal solution.
I upgraded to the newest 5.4 build 1011, as a coworker said this resolved the same issue for him at another location. I'll update with the status.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I experienced this problem and replaced the offending machine's NIC and viola! Problem solved, with that said, I only had two Win7Pro clients, one SMB Server (All roles) and a FWF30D (flat network 192.168.0.0/24). But I could replicate the BAD Addressing on both the Windows SMB DHCP server AND the FWF30D DHCP Server. BTW, this problem will demolish your network performance every time it comes back.
What prompted me to replace the NIC was the fact that the offending NIC kept connecting, then dropping when I went to Control Panel->Network Adapters.
BTW, I'm 4+ weeks strong after correcting this problem and users are really happy and the issue has not come back.
Hope this helps!
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong
One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had some weird ARP issues with my softswitch configuration. We had a laptop that would refuse to work, and found that ARP broadcasts was not working properly on our softswitch with internal1, internal3, internal4, but internal 2 would work. <nuts>[&:]
I fixed it by upgraded to 5.2.5.
The 5.2.5 release notes have a few mentions about Virtual Switch fixes...
http://docs.fortinet.com/uploaded/files/2762/fortios-v5.2.5-release-notes.pdf
Thanks for the help guys!
Chris
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,697 -
FortiClient
1,763 -
5.2
801 -
FortiManager
729 -
5.4
639 -
FortiAnalyzer
558 -
FortiSwitch
475 -
FortiAP
471 -
FortiClient EMS
432 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
245 -
FortiAuthenticator v5.5
234 -
IPsec
209 -
FortiWeb
205 -
5.0
196 -
FortiNAC
189 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
103 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiToken
92 -
Firewall policy
82 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
46 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
Certificate
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
Virtual IP
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
FortiGate-VM
13 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
API
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1712 | |
| 1093 | |
| 752 | |
| 447 | |
| 231 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.