Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
peterk2020
New Contributor

Ping works from host A to B but no https

I recently replaced network switches in location A.  After that, I'm having a weird issue.  vCenter in location B can't connect to hosts in location A.  I can ping the hosts from B to A.  I used to https directly to those hosts and it worked.  Now, I get a timeout.  I ran packet capture from a Fortigate FW that's in front of hosts in A.  The following is what I got.  

17.707177 192.168.150.75.49443 -> 10.0.31.161.443: syn 1184427505
17.707199 192.168.150.75.49443 -> 10.0.31.161.443: syn 1184427505
17.707201 192.168.150.75.49443 -> 10.0.31.161.443: syn 1184427505
17.707202 192.168.150.75.49443 -> 10.0.31.161.443: syn 1184427505
17.707500 10.0.31.161.443 -> 192.168.150.75.49443: syn 3833218006 ack 1184427506
17.707509 10.0.31.161.443 -> 192.168.150.75.49443: syn 3833218006 ack 1184427506
17.707510 10.0.31.161.443 -> 192.168.150.75.49443: syn 3833218006 ack 1184427506
17.707511 10.0.31.161.443 -> 192.168.150.75.49443: syn 3833218006 ack 1184427506
17.712783 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.712788 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.712788 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.712789 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.713157 192.168.150.75.49443 -> 10.0.31.161.443: psh 1184427506 ack 3833218007
17.713160 192.168.150.75.49443 -> 10.0.31.161.443: psh 1184427506 ack 3833218007
17.713161 192.168.150.75.49443 -> 10.0.31.161.443: psh 1184427506 ack 3833218007
17.713162 192.168.150.75.49443 -> 10.0.31.161.443: psh 1184427506 ack 3833218007
17.714042 10.0.31.161.27656 -> 172.21.1.14.514: udp 196
17.720952 10.0.31.161.443 -> 192.168.150.75.49443: 3833218007 ack 1184428023
17.720958 10.0.31.161.443 -> 192.168.150.75.49443: 3833218007 ack 1184428023
17.720959 10.0.31.161.443 -> 192.168.150.75.49443: 3833218007 ack 1184428023
17.720960 10.0.31.161.443 -> 192.168.150.75.49443: 3833218007 ack 1184428023
17.720962 10.0.31.161.443 -> 192.168.150.75.49443: psh 3833219467 ack 1184428023
17.720965 10.0.31.161.443 -> 192.168.150.75.49443: psh 3833219467 ack 1184428023
17.720965 10.0.31.161.443 -> 192.168.150.75.49443: psh 3833219467 ack 1184428023
17.720966 10.0.31.161.443 -> 192.168.150.75.49443: psh 3833219467 ack 1184428023
17.726126 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.726129 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.726130 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.726130 192.168.150.75.49443 -> 10.0.31.161.443: ack 3833218007
17.737490 192.168.150.75.49447 -> 10.0.31.161.443: syn 1227299052
17.737502 192.168.150.75.49447 -> 10.0.31.161.443: syn 1227299052
17.737503 192.168.150.75.49447 -> 10.0.31.161.443: syn 1227299052
17.737503 192.168.150.75.49447 -> 10.0.31.161.443: syn 1227299052
17.737770 10.0.31.161.443 -> 192.168.150.75.49447: syn 3908853215 ack 1227299053
17.737775 10.0.31.161.443 -> 192.168.150.75.49447: syn 3908853215 ack 1227299053
17.737776 10.0.31.161.443 -> 192.168.150.75.49447: syn 3908853215 ack 1227299053
17.737776 10.0.31.161.443 -> 192.168.150.75.49447: syn 3908853215 ack 1227299053 

 

And also, I see "server-rst" messages on the Fortigate FW in location A.  One thing I notice, "https" to those hosts works only within the same location.  That's the weird thing.  All FW rules are there to allow.  It looks like it doesn't work when the "https" traffic passes the FW.  Can a certificate be an issue?  I'm not sure if I make any sense.  

 

I spent hours troubleshooting on this.  I can't think of anything anymore.  I'll really appreciate any suggestions.  Let me know if you need anything else.  Thank you in advance.

 

 

1 REPLY 1
Toshi_Esumi
Esteemed Contributor III

Not sure exact command line you used for sniffing. But you might have used "any" that causes duplicates in the output when a packet traverses through multiple interfaces from ingress to egress.

 

In your situation it would be much easier if you run Wireshark on the HTTPS server side (A) and the client side (B), then compare the result between them. That would give you some idea what might be happening in-between them.

 

My wild guess is something to do with PMTU change after switch changes. Then either or both sides might not be getting the entire packets.

 

Toshi

 

Labels
Top Kudoed Authors