Hi all,
I know I must be doing something stupid or small incorrectly. I have a WAN port configured as a TRUNK, and a LAN port configured as an Access Port. Both WAN and LAN ports are in their own VDOM. But I cannot ping the locally connected gateways at either side, and neither can they ping me. I can ping my LAN and WAN interfaces ok.
Doing a "get router info routing-table all" shows me my two connected interfaces. So I'm really at a loss as to why I can't ping either. The switch configs are 100% correct.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
For those interfaces do you have, set allowaccess ping , set ?
Also, can you do show the output of , show system interface < > for both ?
One should be type vlan and vlan id X and one w/o those.
Trunk port means the Fortigate expects the traffic hitting that port with VLAN Tag, is the connected device configured with correct VLAN?
Access means, Fortigate is not expecting a VLAN tag ( can you confirm how you configured access port)? What is the connected device on this port? Is it a switch or PC/Laptop?
Thanks all,
I edited my original post to confirm that the WAN and LAN ports are in a VDOM separate from the Mgmt (in root)
The WAN switchport config is straight forward
interface Ethernet1/1
description Wan1(outside)
switchport mode trunk
switchport trunk allowed vlan 100
spanning-tree port type edge
spanning-tree guard root
storm-control broadcast level 1.00
The LAN port is simply
interface Ethernet1/2
description Lan1(inside)
switchport access vlan 101
And
config system interface
edit "wan1"
set vdom "ABC"
set allowaccess ping
set type physical
set alias "WAN"
set snmp-index 1
next
edit "internal1"
set vdom "ABC"
set ip 10.29.29.3 255.255.255.0
set allowaccess ping
set type physical
set alias "LAN"
set device-identification enable
set snmp-index 12
next
edit "OUTSIDE-WAN"
set vdom "ABC"
set ip 172.20.20.6 255.255.255.248
set allowaccess ping
set description "WAN Trunk"
set snmp-index 16
set interface "wan1"
set vlanid 100
next
end
The config you showed looks fine. So the problem must be at somewhere you didn't show. But first, in your original post below was not clear.
"But I cannot ping the locally connected gateways at either side, and neither can they ping me. I can ping my LAN and WAN interfaces ok."
Where exactly you pinged from to fail the gateways? And the ping source and got "ok"?
The FGT should have only one gateway in your setting, which should be wan gateway. So for that one you must have pinged "from the FGT" to like 172.20.20.1/29. And it failed?
But LAN side the 10.29.29.3/24 must be the gateway for all devices connected to the switch (vlan 101). You pinged from one of the devices toward the FGT's .3 IP and failed?
Toshi
I removed all static routes
I simply used the Console from the webgui, and pinged my 10.29.29.3 address and my 172.20.20.6 address, and both replied as expected
But when I tried to ping 10.29.29.1 (which I know exists), I get no response, nor do I when trying to ping 172.20.20.254
I hope this clarifies things
Then the problem must be that the destination sides are not on the same vlan at the switch, or not connected in the switch. Can you share the config on the ports those destination devices are connected to at the switch?
Toshi
Unfortunately I can't fully, as I don't have access
But I absolutely would agree that everything now points to a switchport to FW port issue
By the way, your previous description was mixing up those two subnets. You probably meant to ping 172.20.20.1(/29) and 10.29.29.254(/24).
If you don't manage/have access to the switch, you could at least keep running sniffing like:
diag sniffer packet OUTSIDE-WAN 'net 172.20.20.0/29'
or
diag sniffer packet internal1 'net 10.29.29.0/24'
then let the other side pining the FGT's IPs. If you don't see anything coming in, the problem is on the switch.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.