Based on the following network structure below, I am unable to ping from the router to the VPC and vice versa.
Fortinet firewall does not reply to the ARP request when I run the "diagnose sniffer packet" command.
ARP table contains information of the router and the Virtual PC.
FortiGate-2 # get system arp
Address Age(min) Hardware Addr Interface
172.16.101.3 0 50:00:00:09:00:00 port2
11.1.1.2 0 00:50:79:66:68:08 port3
Sniffer output when I ping from Router to VPC:
2.4294596056 port2 out arp who-has 172.16.101.3 tell 172.16.101.1
2.4294597165 port2 in arp reply 172.16.101.3 is-at 50:00:00:09:00:00
10.4294304486 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
12.4294304079 port2 in 172.16.101.3 -> 11.1.1.2: icmp: echo request
14.4294304828 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
16.4294305817 port2 in 172.16.101.3 -> 11.1.1.2: icmp: echo request
18.4294305479 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
36.4294756214 port2 out arp who-has 172.16.101.3 tell 172.16.101.1
36.4294757044 port2 in arp reply 172.16.101.3 is-at 50:00:00:09:00:00
70.4294916277 port2 out arp who-has 172.16.101.3 tell 172.16.101.1
70.4294917442 port2 in arp reply 172.16.101.3 is-at 50:00:00:09:00:00
Sniffer output when I ping from VPC to Router:
8.4294281397 port3 in 11.1.1.2 -> 172.16.101.3: icmp: echo request
10.4294281902 port3 in 11.1.1.2 -> 172.16.101.3: icmp: echo request
12.4294276761 port2 out arp who-has 172.16.101.3 tell 172.16.101.1
12.4294277795 port2 in arp reply 172.16.101.3 is-at 50:00:00:09:00:00
12.4294283060 port3 in 11.1.1.2 -> 172.16.101.3: icmp: echo request
14.4294283439 port3 in 11.1.1.2 -> 172.16.101.3: icmp: echo request
16.4294284616 port3 in 11.1.1.2 -> 172.16.101.3: icmp: echo request
Routing table:
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.101.3, port2, [1/0]
S 10.1.1.0/24 [10/0] via 172.16.101.3, port2, [1/0]
C 11.1.1.0/24 is directly connected, port3
C 172.16.101.0/24 is directly connected, port2
I have setup a simple network structure in Eve-NG with the following:
1x fortinet firewall v7.2.0
1x Virtual PC
1x Cisco router
VPC2
IP/MASK: 11.1.1.2/24
GATEWAY: 11.1.1.1
Fortinet2
Port3: 11.1.1.1/24
Port2: 172.16.101.1/24
Default Static route: 0.0.0.0/0 to gateway IP 172.16.101.3, interface Port2
vIOS_R1
Gi0/0: 172.16.101.3/24
ip route 11.1.1.0 255.255.255.0 GigabitEthernet0/0
On port2 the subnet is 172.16.101.1/24 and the gateway IP is 172.16.101.3- so the arp request should come from the gateway IP to the port2 IP , no such request is received on the fortigate . Below is a out arp request from the fortigate to gateway. There should be an incoming request from the gateway IP 172.16.101.3 which is missing here. Please check your gateway
2.4294596056 port2 out arp who-has 172.16.101.3 tell 172.16.101.1
Hi @amrit , there is an ARP request from the router for 172.16.101.1 (Fortinet port2 WAN interface) & ARP reply from the Fortinet firewall:
Router debug ARP:
*Jul 14 03:15:11.042: IP ARP: creating incomplete entry for IP address: 11.1.1.2 interface GigabitEthernet0/0 tableid 0
*Jul 14 03:15:11.042: IP ARP: sent req src 172.16.101.3 5000.0009.0000,
dst 11.1.1.2 0000.0000.0000 GigabitEthernet0/0.
*Jul 14 03:15:13.041: IP ARP throttled out the ARP Request for 11.1.1.2 tableid 0.
*Jul 14 03:15:15.041: IP ARP: sent req src 172.16.101.3 5000.0009.0000,
dst 11.1.1.2 0000.0000.0000 GigabitEthernet0/0.
*Jul 14 03:15:17.041: IP ARP: sent req src 172.16.101.3 5000.0009.0000,
dst 11.1.1.2 0000.0000.0000 GigabitEthernet0/0.
*Jul 14 03:15:19.041: IP ARP: sent req src 172.16.101.3 5000.0009.0000,
dst 11.1.1.2 0000.0000.0000 GigabitEthernet0/0.
*Jul 14 03:15:26.778: IP ARP: rcvd req src 172.16.101.1 5000.0005.0001, dst 172.16.101.3 GigabitEthernet0/0 tableid 0
*Jul 14 03:15:26.778: IP ARP: sent rep src 172.16.101.3 5000.0009.0000,
dst 172.16.101.1 5000.0005.0001 GigabitEthernet0/0
Fortinet firewall sniffer arp:
filters=[host 172.16.101.3 and host 172.16.101.1 or arp]
0.577273 port2 out arp who-has 172.16.101.3 tell 172.16.101.1
0.578744 port2 in arp reply 172.16.101.3 is-at 50:00:00:09:00:00
3.503005 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
7.501633 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
9.501081 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
11.500909 port2 in arp who-has 11.1.1.2 tell 172.16.101.3
Ping should work between the router and the PC in this network structure?
diagnose debug flow for a ping sent from VPC to Router, it seems to be missing the lines from iprope_fwd_check etc.. not too sure why.
id=65308 trace_id=6 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 11.1.1.2:18250->172.16.101.3:2048) tun_id=0.0.0.0 fro
m port3. type=8, code=0, id=18250, seq=1."
id=65308 trace_id=6 func=init_ip_session_common line=6076 msg="allocate a new session-000004b8, tun_id=0.0.0.0"
id=65308 trace_id=6 func=iprope_dnat_check line=5331 msg="in-[port3], out-[]"
id=65308 trace_id=6 func=iprope_dnat_tree_check line=823 msg="len=0"
id=65308 trace_id=6 func=iprope_dnat_check line=5343 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=6 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-172.16.101.3 via port2"
id=65308 trace_id=7 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 11.1.1.2:18762->172.16.101.3:2048) tun_id=0.0.0.0 from port3. type=8, code=0
, id=18762, seq=2."
As per the debugs, the ping request is coming from port3 with source 11.1.1.2 and destination 172.16.101.3 <--this IP is your gateway behind port2, you should have a firewall policy from port3 to port2
id=65308 trace_id=6 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=1, 11.1.1.2:18250->172.16.101.3:2048) tun_id=0.0.0.0 fro
m port3. type=8, code=0, id=18250, seq=1."
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.