- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Forwarding stops working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forwarding stops working
Hello.
I have a Fortigate 110C in HA configuration.
the problem I am having is that it has started to stop forwarding traffic to an internal server.
It has worked fine for many moths and suddenly started to give me problems.
I upgraded the firmware to v5.0,build0252 (GA Patch 5) in case but it still behave the same.
When I reboot it immediatly starts to work again when the other unit takes over and after that i works for up to two days before failing again.
Anyone got any hint in what is going on?
The setup is as below. I have configured a virtual ip listening to port 443 on ip #.#.#.141. Then a policy to allow the traffic.
config system zone
edit " UntrustZONE"
set interface " wan1"
set intrazone allow
next
edit " TrustZONE"
set interface " port1"
set intrazone allow
next
end
config firewall vip
edit " FPTimeExt"
set extip #.#.#.141
set extintf " wan1"
set portforward enable
set color 25
set mappedip 172.29.1.11
set extport 443
set mappedport 443
next
end
config firewall policy
edit 20
set srcintf " UntrustZONE"
set dstintf " TrustZONE"
set srcaddr " all"
set dstaddr " FPTimeExt"
set action accept
set schedule " always"
set service " ANY"
set logtraffic enable
next
end
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you really need a zone for this? I would rid the zone members and apply the policies directly and see what happens.
Have you done any diagnostics;
flow, sniffer,etc......
Are you sure no other policies where moved, dropped or changed due to the upgrade.
and imho a zone with just one member, is adding more complexity to a fwpolicies & offers no advantage.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@emnoc:
Ede
"Kernel panic: Aiee, killing interrupt handler!"
and imho a zone with just one member, is adding more complexity to a fwpolicies & offers no advantageThere is an advantage: by using a zone you can completely rename a port. I cannot see how that would add complexity though, just on the contrary. The OP is probably using zones in transition from a Netscreen/JunOS firewall configuration. @Dagwyn: I remember having read about a recent quirk when using ports in firewall policies which where also members of a zone. I think 5.0.6 fixed that, have a look at the Release Notes. But READ them before upgrading, definitely! Not using zones might be a good idea after all, only for different reasons.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I haven' t found it in the actual release notes, but there was one issue regarding Zones in v5, but that shouldn' t apply here...
Policies that used interfaces directly, which were also used in zones would get delete upon upgrade (I think to 5.0.4) - I think this kind of policy was dropped with this release!
I would also recommend to sniff and do a flow debug to see why this traffic isn' t processed!
Regarding the Zone Topic:
It is often very very usefull to start an installation from scratch with using Zones as good as you can!
If you might make bigger changes in the network topology this can save days and weeks of work:
- Easily add an additional internal vlan, SSID, Remote APs whatever via just some clicks...
- Add an additional ISP uplink or migrate uplink connectivity
- ...
br,
Roman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This setup was configured by our supplier when installed. I have on a few occasions started with a fresh config when doing firmware upgrade but have kept the zones, they are not really needed as some has mentioned.
I have tried logging the traffic but when it is not working it does not generate ANYTHING.
# diagnose debug enable # diagnose debug flow filter addr # diagnose debug flow show console enable # diagnose debug flow show function-name enable # diagnose debug flow trace start 100 id=13 trace_id=1 func=resolve_ip_tuple_fast line=4299 msg=" vd-root received a packet(proto=6, #.#.86.157:38504->#.#.#.141:443) from wan1." id=13 trace_id=1 func=init_ip_session_common line=4430 msg=" allocate a new session-00015605" id=13 trace_id=1 func=get_new_addr line=2401 msg=" find SNAT: IP-172.29.1.11(from IPPOOL), port-443" id=13 trace_id=1 func=fw_pre_route_handler line=175 msg=" VIP-172.29.1.11:443, outdev-wan1" id=13 trace_id=1 func=__ip_session_run_tuple line=2522 msg=" DNAT #.#.#.141:443->172.29.1.11:443" id=13 trace_id=1 func=vf_ip4_route_input line=1603 msg=" find a route: gw-172.29.1.11 via port1" id=13 trace_id=1 func=__iprope_tree_check line=534 msg=" use addr/intf hash, len=4" id=13 trace_id=1 func=fw_forward_handler line=663 msg=" Allowed by Policy-20:" etc.Just realised that it seems as it' s always the same unit that behave like this. When I reboot it switches to the slave and it works for a while. Both units have the same priority.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible, that there is another device on the outside, that might hook onto that .141 ip address and poisons the ARP table of the outside router?
Related Posts
- sd-wan issue 156 Views
- SSL-VPN Bookmarks SSO with SAML auth 218 Views
- HardwareSwitch SoftwareSwitch in 7.2.8M 214 Views
- Forticlient stopped working with Okta 258 Views
- dynamic ipool change - SNAT fort... 254 Views
Labels
-
FortiGate
6,586 -
FortiClient
1,312 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
336 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
SNMP
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
Web application firewall profile
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.