Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mspada
New Contributor II

Created on ‎02-19-2024 02:37 AM Edited on ‎02-19-2024 03:07 AM

Fortigate - Vip on secondary network does not work

Hello,

Issue description:

Fortigate 60E (7.2.7) with 2 interface configured

1) WAN 151.22.102.209/29 public address (connected to Internet)

 

2) Port1 address 192.168.4.254/24

Secondary ip address 192.168.5.254/24

 

Internal Server1 192.168.4.200

Internal Server2 192.168.5.200

------------------------------------------------------------------------------------------------

Trying from the Internet:

Vip 151.22.102.210 to 192.168.4.200 WORKS!

by modifying the VIP in:

Vip 151.22.102.210 to 192.168.5.200 IT DOES NOT WORK

 

I can ping 192.168.5.200 from Fortigate

 

Thank You in advanced.

Regards

MS

Marco Spada
Marco Spada
Labels:
329
0 Kudos
1 Solution
hbac
Staff
Staff

Created on ‎02-19-2024 06:31 AM

Hi @mspada.,

 

You are using the same public IP address for 2 internal servers. Do you have port forwarding enabled for each VIP to use different ports? If port forwarding is disabled, you should use different public IP addresses for each of them. 

 

Regards, 

View solution in original post

264
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎02-19-2024 03:14 AM

Hi

Do you confirm that the default gateway of internal server 2 is 192.168.5.254?

AEK
AEK
305
mspada
New Contributor II
In response to AEK

Created on ‎02-19-2024 04:13 AM

Hi,

I don't know, I'm asking my client. 
I will let you know. 
In any case, if in the policy from internet to internal lan I choose NAT (not with interface) but with an overloaded object created by me 192.168.5.254 it should still work, but unfortunately this doesn't happen
Marco Spada
Marco Spada
289
0 Kudos
AEK
SuperUser
SuperUser
In response to mspada

Created on ‎02-19-2024 04:58 AM

This should confirm that the default gateway of internal server 2 is not 192.168.5.254.

NAT as you did is a workaround but I think not the best & cleanest solution.

AEK
AEK
277
mle2802
Staff
Staff

Created on ‎02-19-2024 06:03 AM

Hi @mspada,

Can you try to run the debug flow when accessing the second VIP. Replace X.X.X.X with public IP where you accessing from.
diag debug reset

diag debug flow filter addr X.X.X.X
diag debug flow show ip en

diag debug flow show func en

diag debug console time ena

diag debug ena

diag debug flow trace start 999

Regards,

271
hbac
Staff
Staff

Created on ‎02-19-2024 06:31 AM

Hi @mspada.,

 

You are using the same public IP address for 2 internal servers. Do you have port forwarding enabled for each VIP to use different ports? If port forwarding is disabled, you should use different public IP addresses for each of them. 

 

Regards, 

265
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.