- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- From a NEW 80F install, can't ping next hops over ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From a NEW 80F install, can't ping next hops over LAN or WAN interfaces (in separate VDOM from Mgmt)
Hi all,
I know I must be doing something stupid or small incorrectly. I have a WAN port configured as a TRUNK, and a LAN port configured as an Access Port. Both WAN and LAN ports are in their own VDOM. But I cannot ping the locally connected gateways at either side, and neither can they ping me. I can ping my LAN and WAN interfaces ok.
Doing a "get router info routing-table all" shows me my two connected interfaces. So I'm really at a loss as to why I can't ping either. The switch configs are 100% correct.
Cormac Champion
Cormac Champion
Labels:
- Labels:
-
FortiGate
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
For those interfaces do you have, set allowaccess ping , set ?
Also, can you do show the output of , show system interface < > for both ?
One should be type vlan and vlan id X and one w/o those.
geek
geek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trunk port means the Fortigate expects the traffic hitting that port with VLAN Tag, is the connected device configured with correct VLAN?
Access means, Fortigate is not expecting a VLAN tag ( can you confirm how you configured access port)? What is the connected device on this port? Is it a switch or PC/Laptop?
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all,
I edited my original post to confirm that the WAN and LAN ports are in a VDOM separate from the Mgmt (in root)
The WAN switchport config is straight forward
interface Ethernet1/1
description Wan1(outside)
switchport mode trunk
switchport trunk allowed vlan 100
spanning-tree port type edge
spanning-tree guard root
storm-control broadcast level 1.00
The LAN port is simply
interface Ethernet1/2
description Lan1(inside)
switchport access vlan 101
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And
config system interface
edit "wan1"
set vdom "ABC"
set allowaccess ping
set type physical
set alias "WAN"
set snmp-index 1
next
edit "internal1"
set vdom "ABC"
set ip 10.29.29.3 255.255.255.0
set allowaccess ping
set type physical
set alias "LAN"
set device-identification enable
set snmp-index 12
next
edit "OUTSIDE-WAN"
set vdom "ABC"
set ip 172.20.20.6 255.255.255.248
set allowaccess ping
set description "WAN Trunk"
set snmp-index 16
set interface "wan1"
set vlanid 100
next
end
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The config you showed looks fine. So the problem must be at somewhere you didn't show. But first, in your original post below was not clear.
"But I cannot ping the locally connected gateways at either side, and neither can they ping me. I can ping my LAN and WAN interfaces ok."
Where exactly you pinged from to fail the gateways? And the ping source and got "ok"?
The FGT should have only one gateway in your setting, which should be wan gateway. So for that one you must have pinged "from the FGT" to like 172.20.20.1/29. And it failed?
But LAN side the 10.29.29.3/24 must be the gateway for all devices connected to the switch (vlan 101). You pinged from one of the devices toward the FGT's .3 IP and failed?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed all static routes
I simply used the Console from the webgui, and pinged my 10.29.29.3 address and my 172.20.20.6 address, and both replied as expected
But when I tried to ping 10.29.29.1 (which I know exists), I get no response, nor do I when trying to ping 172.20.20.254
I hope this clarifies things
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then the problem must be that the destination sides are not on the same vlan at the switch, or not connected in the switch. Can you share the config on the ports those destination devices are connected to at the switch?
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately I can't fully, as I don't have access
But I absolutely would agree that everything now points to a switchport to FW port issue
Cormac Champion
Cormac Champion
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By the way, your previous description was mixing up those two subnets. You probably meant to ping 172.20.20.1(/29) and 10.29.29.254(/24).
If you don't manage/have access to the switch, you could at least keep running sniffing like:
diag sniffer packet OUTSIDE-WAN 'net 172.20.20.0/29'
or
diag sniffer packet internal1 'net 10.29.29.0/24'
then let the other side pining the FGT's IPs. If you don't see anything coming in, the problem is on the switch.
Toshi
Related Posts
- How to configure physical internal switch... 175 Views
- Fortigate 7.2 SDWAN + ADVPN 238 Views
- Fortigate 80E Policy not being recognized 532 Views
- Firewall Policies not working as expected 705 Views
- Strange issue with Fortigate 200E web... 299 Views
Labels
-
FortiGate
6,716 -
FortiClient
1,336 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
344 -
FortiAP
342 -
FortiClient EMS
272 -
FortiMail
261 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
82 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
61 -
FortiProxy
46 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
SD-WAN
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
22 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
Authentication
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
Web application firewall profile
5 -
Web profile
5 -
FortiTester
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.