Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xkalib3r
New Contributor III

Fortigate Internal traffic Problem

Hi All

 

I have a really strange issue at my remote office. 

 

Basically I have a FortiWifi-40c V5.2.2 with a pretty basic configuration:

WAN1 -> Router

Internal1 -> LAN Switch

Internal 5 -> Workshop switch

 

We have an IPSEC tunnel up to our Head Office.

 

The issues we are having is that when I plug a device into the LAN (My laptop for example), I fail to get any internet breakout. After investigating, I found that the machine kept getting and IP from our local windows DHCP server, but then it would loose the IP and try and renew again (This will carry on in a constant loop). If i get on to the windows server, the DHCP adress leases get full of "BAD_Request" objects. Looking through the event logs on the windows server came back with no errors being logged.

 

Now the interesting this is... When I unplug the Fortigate, bam...I get a DHCP address. I then plug the Fortigate back in to the LAN switch and I can browse and access various resources.

 

Another interesting fact is that when connecting to the wireless on the Fortigate, I get an IP and can browse, access network resources etc, except for one thing... The branch printer (A small simple HP malfunction). I can ping the printer, but cannot print, scan or access it's web interface.

 

It's almost as if the Fortigate is killing internal traffic somehow. We have this same device and a very similar setup at some of our clients and have no issues. 

 

Yesterday I factoried the Fortigate and re-built the config from scratch, but still the issues persists. I'm pretty sure the issue started after the 5.2 upgrade, but I am unfortunately not 100% sure as most devices are wired and have never been disconnected and connected back to the network.

 

Today I had a look through the switch config and could not find any issues there either (Also very basic) - None the less, I firmwared the switch to the latest version in case.

 

Any assistance/guidance would be greatly appreciated. I would prefer avoiding a downgrade of the FortiOS if possible.

 

 

Regards 

FCNSA

FCNSP

FCWS

NSE5

NSE7

FCNSA FCNSP FCWS NSE5 NSE7
1 Solution
xkalib3r
New Contributor III

Hi again

 

OK so I've narrowed it down even further...

 

After reading through this post http://community.spiceworks.com/topic/366137-dhcp-bad_address-yes-i-ve-searched-other-topics right at the end there is a mention of device tracking. This prompted me to check if detect and identify devices was enabled on any of the interfaces. I had only checked the softswitch interface...I had a look at the SSID interface and found that this was enabled. I disabled this and added the SSID back to the softswitch and all is still working!

 

While I do not require the detect device feature on the internal network, i am still curious to know if there is any way to have this enabled. I tried enabling this on the softswitch interface only and DHCP broke again...

 

Anyhow, at least it's working!

 

I hope this helps others with the same issue.

 

Thanks again for everyone's assistance on this! Much appreciated!

FCNSA

FCNSP

FCWS

NSE5

NSE7

View solution in original post

FCNSA FCNSP FCWS NSE5 NSE7
15 REPLIES 15
xkalib3r
New Contributor III

Hi again

 

OK so I've narrowed it down even further...

 

After reading through this post http://community.spiceworks.com/topic/366137-dhcp-bad_address-yes-i-ve-searched-other-topics right at the end there is a mention of device tracking. This prompted me to check if detect and identify devices was enabled on any of the interfaces. I had only checked the softswitch interface...I had a look at the SSID interface and found that this was enabled. I disabled this and added the SSID back to the softswitch and all is still working!

 

While I do not require the detect device feature on the internal network, i am still curious to know if there is any way to have this enabled. I tried enabling this on the softswitch interface only and DHCP broke again...

 

Anyhow, at least it's working!

 

I hope this helps others with the same issue.

 

Thanks again for everyone's assistance on this! Much appreciated!

FCNSA

FCNSP

FCWS

NSE5

NSE7

FCNSA FCNSP FCWS NSE5 NSE7
Fortiwalle
New Contributor

Unchecking detect and identify devices solved the DHCP/BAD_ADDRESS in my lab environment as well on firmware 5.2.3.

 

Thanks for the post!

Jordan Welsh Sales Engineer 23403 E. Mission Ave. #121 Liberty Lake, WA 99019 D 509.688.2586 W http://www.tierpoint.com/ Facilities in: Baltimore, Dallas, Oklahoma City, Philadelphia, Seattle, Spokane, Tulsa
Jordan Welsh Sales Engineer 23403 E. Mission Ave. #121 Liberty Lake, WA 99019 D 509.688.2586 W http://www.tierpoint.com/ Facilities in: Baltimore, Dallas, Oklahoma City, Philadelphia, Seattle, Spokane, Tulsa
ChrisS
New Contributor

Hi all,

 

I've also this DHCP issue "BAD_ADDRESS". DHCP fills with "BAD_ADDRESS" entries. My FortiWiFi has FortiOS 5.2.3 installed. LAN and WLAN are connected through a softswitch. I checked the setting for device identification but this setting is disabled on all my interfaces. When i delete the softswitch and configure WLAN and LAN to be in separate subnets, everything is working fine. Switching back to softswitch configuration will cause DHCP to be filled with BAD_ADDRESS entries. Does anybody have an idea what happen here?

 

Regards Christoph

torlok2002

Christoph Schneider wrote:

Hi all,

 

I've also this DHCP issue "BAD_ADDRESS". DHCP fills with "BAD_ADDRESS" entries. My FortiWiFi has FortiOS 5.2.3 installed. LAN and WLAN are connected through a softswitch. I checked the setting for device identification but this setting is disabled on all my interfaces. When i delete the softswitch and configure WLAN and LAN to be in separate subnets, everything is working fine. Switching back to softswitch configuration will cause DHCP to be filled with BAD_ADDRESS entries. Does anybody have an idea what happen here?

 

Regards Christoph

I also found this to be an issue on a 90D, completely making their network useless for any new devices which needed an IP address. I'm thinking it would start when a user was connected with WiFi, then plugged into wired connection at his desk. "Detect devices" on the interfaces was not enabled on the soft switch or the WiFi SSID.

 

Removing the WiFi SSID from the soft switch and problem would go away, but not an ideal solution.

 

I upgraded to the newest 5.4 build 1011, as a coworker said this resolved the same issue for him at another location. I'll update with the status.

Camshaft007
New Contributor

I experienced this problem and replaced the offending machine's NIC and viola!  Problem solved, with that said, I only had two Win7Pro clients, one SMB Server (All roles) and a FWF30D (flat network 192.168.0.0/24).  But I could replicate the BAD Addressing on both the Windows SMB DHCP server AND the FWF30D DHCP Server.  BTW, this problem will demolish your network performance every time it comes back.

 

What prompted me to replace the NIC was the fact that the offending NIC kept connecting, then dropping when I went to Control Panel->Network Adapters. 

 

BTW, I'm 4+ weeks strong after correcting this problem and users are really happy and the issue has not come back.

 

Hope this helps!

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds

" The Linux philosophy is ' Laugh in the face of danger' . Oops. Wrong One. ' Do it yourself' . Yes, that' s it." - Linus Torvalds
Chris_Carson
New Contributor

I had some weird ARP issues with my softswitch configuration.  We had a laptop that would refuse to work, and found that ARP broadcasts was not working properly on our softswitch with internal1, internal3, internal4, but internal 2 would work. <nuts>[&:]

I fixed it by upgraded to 5.2.5.

 

The 5.2.5 release notes have a few mentions about Virtual Switch fixes...

http://docs.fortinet.com/uploaded/files/2762/fortios-v5.2.5-release-notes.pdf

 

Thanks for the help guys!

Chris

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors