- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hairpin Route Issue After 5.2.3 Upgrade
Hi! I have a stange issue that I'm hoping someone can provide some insight on.
After upgrading a 90D unit from 5.2.1 to 5.2.3, it's "hairpin" routes (same source and destination interface) are having issues. It seems they are working fine for simple pings, but under load (websites, ICA and database connections) I get timeouts. If I add a static route on the PC itself, everything works fine, so I know the issue is with the Fortinet.
On this unit, Internal1 is at 10.0.0.254/24 and that is the site's main LAN. We have this route in there (one example):
edit 2 set dst 10.52.0.0 255.255.0.0 set gateway 10.0.0.245
There is no NAT going on or anything like that.
Another thing I noticed is that the fortinet refuses to do this route at all unless I have an Internal1 > Internal1 Allow policy set up. I went though my FortiManager and saw several units that have hairpin routes and no allow policies (although I think they are all still on 5.2.1), and I wouldn't think this would be necessary?
EDIT: I tried reducing the distance on the route from default 10 to 5, but it made no difference.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just in case anyone finds this later, it turned out that someone had duplicated all of the hairpin static routes with Policy routes (set to source 0.0.0.0, all ports and protocols. WTF). When I deleted these, the normal static routes started working as expected.