Hi All!
I have problem as title.
Follows illustration is current situation and work fine.
And unit test of addition network as follows illustration, (Reference: https://getlabsdone.com/how-to-configure-dmz-on-the-fortigate-firewall )
Ping/FTP access from Client(20.0.2.118) to FTP Server(10.1.0.2) @ FileZilla work fine.
And I added static route @ EdgeRouter 4 as follows
set protocols static route 10.1.0.0/24 next-hop 10.0.2.16 description 'Intranet to DMZ' set protocols static route 10.1.0.0/24 next-hop 10.0.2.16 distance 253
Ping from Client (20.0.2.118) to FTP Server(10.1.0.2) work fine.
$ping 10.1.0.2 PING 10.1.0.2 (10.1.0.2) 56(84) bytes of data. 64 bytes from 10.1.0.2: icmp_seq=1 ttl=127 time=0.770 ms 64 bytes from 10.1.0.2: icmp_seq=2 ttl=127 time=0.498 ms
But FTP won't work @ FileZilla as follows.
Status: Connecting to 10.1.0.2:21... Status: Connection established, waiting for welcome message...
Netstat @ FTP Server (10.1.0.2) as follows.
TCP 10.1.0.2:21 10.0.2.118:51692 SYN_RECEIVED
Stall at SYN_RECEIVED state.
In this time. netstat result @ Client (10.0.2.118) as follows
$ netstat -an|grep 10.1.0 tcp 0 0 10.0.2.118:54432 10.1.0.2:21 ESTABLISHED
After several seconds, state changed as follows.
$ netstat -an|grep 10.1.0 tcp 0 1 10.0.2.118:54432 10.1.0.2:21 FIN_WAIT1
Result of traceroute @ Client (10.0.2.118) as follows.
$ traceroute 10.1.0.2 traceroute to 10.1.0.2 (10.1.0.2), 30 hops max, 60 byte packets 1 _gateway (10.0.2.2) 0.252 ms 0.159 ms 0.155 ms 2 10.0.2.16 (10.0.2.16) 0.608 ms 0.559 ms 0.510 ms 3 * * * 4 * * *
And I had tried to packet capture @ Fortigate 40F, I saw SYN and SYN+ACK existence, look good?
I no idea why won't work, missing something.
Client sent packet to EdgeRouter4 but received packet from Fortigate 40F is invalid I assume.
But I no idea how to route received packet from Fortigate 40F -> EdgeRouter4 -> Client
Please help me to fix.
Thanks all very much.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
May be you can try adding the static route towards the FTP server on the linux as suggested in below discussion.
SYN - Client-----SWITCH-----EDGE RTR------FGT----Server
SYN-ACK - Server-----FGT-----SWITCH-----Client (Router won't get this packet as switch is aware about the source IP/MAC)
ACK - Client-----SWITCH-----EDGE RTR ------FGT------Server (Now the edge router is getting an ACK packet for a TCP handshake where there is no SYN-ACK). Can you check if the router is dropping this?
Thanks your reply quickly.
About SYN-ACK - Server-----FGT-----SWITCH-----Client
I had tried to add Static Route for return path (FGT --- EDGE RTR) as follows.
And firewall
Won't work still :p
About ACK, I will try to check.
Thanks a lot.
Static route on FGT won't help here , since the destination for SYN-ACK 10.0.2.118 is in same subnet as FGT IP. FGT will use the directly connected route instead of Static.
As Toshi suggested, you can try adding a route on the client machine and check.
route add 10.1.0.2 mask 255.255.255.255 10.0.2.16
I would rather try, to just test, adding a static route to the client machine for the DMZ subnet to 10.0.2.16 because likely the problem is due to the fact the SYN hits the router first then forwarded to the FGT, while SYN-ACK tries to go directly to the client from the FGT, and I'm suspecting the FGT is dropping it.
Or, you could just sniff the traffic at the interface w/ 10.0.2.16 to see what's coming in and what's going out (nor not going out).
<edit>Or, the switch might be learning the destination MAC from the router-forwarded SYN packet, and intercepting the ACK packet and redirecting to the FGT instead of sending to the router. The sniffing the interface would tell something.
</edit>
Toshi
Created on 08-29-2023 08:09 PM Edited on 08-29-2023 08:10 PM
Hi @Toshi_Esumi
I tried to packet capture @ FGT LAN and result, as your explain
SYN
And SYN+ACK
SYN+ACK tries to go directly to the client from the FGT.
SYN+ACK appear at LAN @ FGT, is FGT does not dropping it meant?
Thanks a lot,
Neko
I think so. You probably need to check how your switch is handing next by like setting up port mirroring if the switch doesn't support packet capture like above 2xx models of FortiSwitch. Also run Wireshark on the client machine side at the same time to see if the SYN-ACK is reaching and if it's responding with ACK.
In any case putting the FGT in the same subnet/broadcast domain with the GW device would cause some unexpected/unwanted L2 frame routing behavior like this. With your topology, I would set up a /30 interconnect subnet between the GW router and the FGT instead.
Toshi
Hi All
I had tried more but did not work.
Therefore move FTP server to EDGE RTR
Thanks many help very much.
Neko
Hi Neko,
Can you check if the Edge router supports ICMP redirect and if so, can you enable it on LAN interface? I think this will be the ideal fix for your issue.
You can find more details on ICMP redirect on https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/nx-os-software/213841-understanding-ic...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.