- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- No internet access for odd IP addresses
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No internet access for odd IP addresses
That might sound like I need to verify IP addresses, but that is not the case. I have an interesting problem that I need to address and was wondering if anyone had any insight or experience with this issue. We recently purchased a 100e to replace an old, and dying, ASA5510. The initial setup went smoothly and all traffic was flowing as expected.
I had to add a second, separate but similar, network for SFTP traffic. The IP scheme was close but not an exact match. This part also went smoothly.
I have recently been tasked with configuring a test network for training purposes. I went about the same process as I did adding in the second network, but ran into a small issue. Even numbered IP addresses can hit the internet, but odd numbered IP addresses are stopped at the firewall. For simplicity sake, I opened the ports up to all traffic but still get blocked when using an IP address that has a final octet that ends in an odd number. For example, X.X.X.132 will work, but X.X.X.45 will not work. All IP addresses can ping the firewall and internal communication is fine.
Any thoughts or insight would be appreciated.
Solved! Go to Solution.
Labels:
- Labels:
-
5.4
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
just run an "debug flow" to show us the processing of your traffic:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33882
Please collect an debug flow of an even and one debug flow of an odd ip-address.
Regards
bommi
NSE 4/5/7
NSE 4/5/7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds like you have WAN LLB configured.
You can additionally to "debug flow" use the internal sniffer to see where the traffic stops:
diag deb en
diag sniffer packet any 'icmp and host a.b.c.11' 4 0 a
You would expect to see the packet on 'internal' and then on 'wan1'. Repeat with an even-numbered host.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
just run an "debug flow" to show us the processing of your traffic:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33882
Please collect an debug flow of an even and one debug flow of an odd ip-address.
Regards
bommi
NSE 4/5/7
NSE 4/5/7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That sounds like you have WAN LLB configured.
You can additionally to "debug flow" use the internal sniffer to see where the traffic stops:
diag deb en
diag sniffer packet any 'icmp and host a.b.c.11' 4 0 a
You would expect to see the packet on 'internal' and then on 'wan1'. Repeat with an even-numbered host.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you both for the recommendations! For some reason all odd numbered IPs were attempting to route through my secondary WAN interface rather than the primary. Turning that off instantly corrected the problem, just not necessarily with the desired configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe some left-over from trying out LLB?
On the CLI, type "show full" and save the output into a file. Search for "WAN2" or "LLB" or the like.
LLB distributes sessions by looking at the source IP (one of the available choices). With only 2 WAN ports, you get the split into even and odd addresses.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did find some WAN2 information, but everything looked correct. It looks like I've been chasing my tail though as troubleshooting what I thought was a completely unrelated issue ended up correcting my problem. I had to run "diagnose firewall iprope flush", which cleared the other issue that I was having (couldn't ping between DMZ and LAN). Once I resolved that issue I went back, re-enabled the policies that I had disabled, re-ran the flush and had the access that I was expecting.
I did find it interesting that a problem that was apparently around in 2014 would still be an issue in a newer release. I'll just write this off as a learning experience and move on.
Thanks for the help!
Related Posts
- Issue with SD-WAN 40 Views
- Accessing SSL VPN addresses from a... 58 Views
- NO internet connection when using static... 846 Views
- Fortigates with PPPoE WAN suddenly need... 350 Views
- Help setting up internet access for... 186 Views
Labels
-
FortiGate
6,557 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
565 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
266 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
IP address management - IPAM
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
Traffic shaping policy
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiDB
3 -
Port policy
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
TACACS
1 -
4.0MR1
1 -
Schedule
1 -
Users
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Web rating
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Multicast routing
1 -
Email filter profile
1 -
Zone
1 -
Internet Service Database
1 -
Explicit proxy
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.