Hi! I have a stange issue that I'm hoping someone can provide some insight on.
After upgrading a 90D unit from 5.2.1 to 5.2.3, it's "hairpin" routes (same source and destination interface) are having issues. It seems they are working fine for simple pings, but under load (websites, ICA and database connections) I get timeouts. If I add a static route on the PC itself, everything works fine, so I know the issue is with the Fortinet.
On this unit, Internal1 is at 10.0.0.254/24 and that is the site's main LAN. We have this route in there (one example):
edit 2 set dst 10.52.0.0 255.255.0.0 set gateway 10.0.0.245
There is no NAT going on or anything like that.
Another thing I noticed is that the fortinet refuses to do this route at all unless I have an Internal1 > Internal1 Allow policy set up. I went though my FortiManager and saw several units that have hairpin routes and no allow policies (although I think they are all still on 5.2.1), and I wouldn't think this would be necessary?
EDIT: I tried reducing the distance on the route from default 10 to 5, but it made no difference.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Just in case anyone finds this later, it turned out that someone had duplicated all of the hairpin static routes with Policy routes (set to source 0.0.0.0, all ports and protocols. WTF). When I deleted these, the normal static routes started working as expected.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.