We have two LANs, one for the computers/printers/etc, and one that just contains our spamfilter and mail server. We have two policies allowing traffic between the LANs on the required ports. NAT is enabled on both. When users go to check their email from LAN1, theres a 3 to 5 second delay before their client connects to the mail server on LAN2. This is a new Fortigate 100F that replaced an old firewall with a similar setup where they didn't have this issue. Any input on potential causes would be appreciated.
Did you check;
1: pcap from the client or server or both
2: is dns servers(s) and the order of the dns-server services are 100% operational
3: did you run "diag debug flow"
4: And humor me on why do you have NAT enable on lan to lan traffic
If you get a pcap and assuming this is TCP the total delay is really the SYN and the SYN-ACK reply and I highly doubt the fortigate is causing a 3-5 second delay. I 'm betting your DNS server is slow or faulty or something DNS related.
Ken Felix
PCNSE
NSE
StrongSwan
1: I'll have to talk to the the on-site tech do pcap. I don't have outside access to their computers/servers
2: We have 2 DNS configured. Their DC is 1 and a public DNS is 2
3: No. Fortinet support had us run diagnose netlink interface list name on the ports for LAN1 and LAN2
4: NAT was enabled by the default when we set the policies and Fortinet support didn't say to turn it off even after being told it was still enabled
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.