Hi! I have a stange issue that I'm hoping someone can provide some insight on.
After upgrading a 90D unit from 5.2.1 to 5.2.3, it's "hairpin" routes (same source and destination interface) are having issues. It seems they are working fine for simple pings, but under load (websites, ICA and database connections) I get timeouts. If I add a static route on the PC itself, everything works fine, so I know the issue is with the Fortinet.
On this unit, Internal1 is at 10.0.0.254/24 and that is the site's main LAN. We have this route in there (one example):
set dst 10.52.0.0 255.255.0.0
set gateway 10.0.0.245
There is no NAT going on or anything like that.
Another thing I noticed is that the fortinet refuses to do this route at all unless I have an Internal1 > Internal1 Allow policy set up. I went though my FortiManager and saw several units that have hairpin routes and no allow policies (although I think they are all still on 5.2.1), and I wouldn't think this would be necessary?
EDIT: I tried reducing the distance on the route from default 10 to 5, but it made no difference.