Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Hairpin Route Issue After 5.2.3 Upgrade

Hi!  I have a stange issue that I'm hoping someone can provide some insight on.


After upgrading a 90D unit from 5.2.1 to 5.2.3, it's "hairpin" routes (same source and destination interface) are having issues.  It seems they are working fine for simple pings, but under load (websites, ICA and database connections) I get timeouts.  If I add a static route on the PC itself, everything works fine, so I know the issue is with the Fortinet.


On this unit, Internal1 is at and that is the site's main LAN.  We have this route in there (one example):

   edit 2        set dst        set gateway


There is no NAT going on or anything like that.


Another thing I noticed is that the fortinet refuses to do this route at all unless I have an Internal1 > Internal1 Allow policy set up.  I went though my FortiManager and saw several units that have hairpin routes and no allow policies (although I think they are all still on 5.2.1), and I wouldn't think this would be necessary?


EDIT: I tried reducing the distance on the route from default 10 to 5, but it made no difference.

New Contributor

Just in case anyone finds this later, it turned out that someone had duplicated all of the hairpin static routes with Policy routes (set to source, all ports and protocols.  WTF).  When I deleted these, the normal static routes started working as expected.