Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ForgetItNet
Contributor

Hairpin Policy Not Working

Hi all,

I've had a look through the previous posts but can only find how to set this up and not much on troubleshooting it when it doesn't work....so

Got a 100E that has a main LAN ip of 192.168.1.20 and we've added a secondary ip of 192.168.100.20 on the same interface. From the CLI on the same router i can ping both 1.20 and 100.20 and also can ping a device on the 100.20 network (that is on 192.168.100.60). Now we have another router at another branch and i can ping through the VPN and get a response from both 1.20 AND 100.20 from the other branch but i cannot get a response from 100.60 ?

I have added a hairpin policy to allow everything from the LAN interface to the LAN interface (where this secondary IP is added) but i still cannot get either a ping or get onto the web page of the device on 192.168.100.60 ?

I have tried to do this from a PC also on the same subnet as the main IP on the router (192.168.1.0) and i cannot get a ping to that so it looks like data is not passing from the secondary ip to the primary LAN ?

Any ideas would be great.

Thanks

 

4 REPLIES 4
AlexC-FTNT
Staff
Staff

AlexCFTNT_0-1645888314619.png

Please correct the above diagram if wrong.

"Hairpin" usually refers to a NAT (and a VIP involved).
There is no NAT needed in your policy and no VIP mentioned in your description


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
ForgetItNet
Contributor

Thanks Alex, that diagram is correct and there's no NAT enabled on the policy but not sure what you mean by VIP on this ? I know what a VIP is but not sure where it's relevant on this scenario ? I'm hoping this is what I'm missing and I've just mis-understood how to set this up ? I've tried a ping to 100.60 from the 1.20 interface and that doesn't work so obviously there is no traffic going between the IP's on the same interface.

ForgetItNet
Contributor

Done a packet capture as well from 1.20 to 100.60 and it looks like ping is getting to 1.20 but no reply coming back ? However i can ping 100.60 just from the CLI (without specifying a source and it does reply)

AlexC-FTNT
Staff
Staff

The image has quite some troubleshooting steps.

Please follow that and attach some relevant output if you need, or open a support case. The verbal confirmation of these tests that you performed is not sufficient to guess the problem. I'm quite sure that you missed a policy lan>lan or VPN>lan or lan>VPN... but who knows, maybe there is more - I also don't have a configuration file to verify, therefore guessing is not very accurate :)

(if there is no VIP, then there's something crossed off the list of possible issues)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors