- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please help. Strangest thing ever...
Hi all,
I have a LAN connected to the internet using a FortiGate 60D.
Clients gets an IP Address from DHCP on the the scope of 192.168.1.101-130.
When a client gets an odd ip (ex. 192.168.1.101, 192.168.1.103, 192.168.1.105, etc. ....) they can connect to the internet without any problem.
When a client gets an even ip (ex. 192.168.1.102, 192.168.1.104, 192.168.1.106, etc. ...) they can NOT connect to the internet. their DHCP lease looks fine. they get a default gateway and all other configuration and they can access the LAN but for some reason the FortiGate blocks them from going on the Internet. They can ping the default gateway but not any hop behind it.
As a temporary solution I excluded all even numbers from the scope.
Any ideas of what can cause this behavior?
Solved! Go to Solution.
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you have load balancing turned on. The traffic is being load balanced between a good interface and one that you do not intend for it to use. This issue was seen by another community member and they found they had their secondary WAN interface setup but was not usable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems you have a ECMP condition (https://en.wikipedia.org/wiki/Equal-cost_multi-path_routing) and the FG will try to load balance the traffic between the two connections (ppp1 and ppp2). A load balancing algorithm is used to decide where the traffic goes through - check the default one (https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/25967/equal-cost-multi-path) .The default static route is automatically added after the ppp connection is up. Is seems that maybe one of your ppp conection has issues.
To avoid load-balancing, you can alter the distance/priority of the default route that is injected in the routing table either in the GUI or the cli under the interface configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ShahafCZ,
Crosscheck whether the even IPs show the same behavior if you statically assign such IP.
Then ping an external source, if that also fails do a policy lookup, CLI preferred to see what is happening.
diag debug console timestamp enable
diag debug flow filter proto 1
diag debug flow filter addr <dst addr>
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 4
It will trace 4 packets of ICMP to <dst addr> and the first fresh session will show information about source, destination interface for the routing decision as well as a policy match. Do a fresh ping to the destination and see if those lines make sense to you.
Best regards,
Markus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Markus.
Statically assigned ip acts the same.
Security Policy allows all the network 192.168.1.0 access the internet regardless the client specific ip.
I will try the diag CLI and report back.
Cheers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you have load balancing turned on. The traffic is being load balanced between a good interface and one that you do not intend for it to use. This issue was seen by another community member and they found they had their secondary WAN interface setup but was not usable.
Created on 11-22-2021 07:25 AM Edited on 11-22-2021 07:27 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That Makes a lot of sense. I do have to WAN connections, but one of them is not connected to the Internet.
How do I get rid of it?
When I go to WAN Link Load Balancing it seems to have nothing configured....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you post the output of the following command:
# get router info routing-table all
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess this is the line we are looking for:
S* 0.0.0.0/0 [5/0] via <ipA>, ppp1
[5/0] via <ipB>, ppp2
When I go to Static Routes on the Web Interface I do not see any static route going to the internet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have two PPoE configurations on two different ports? What is your WAN setup link?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems you have a ECMP condition (https://en.wikipedia.org/wiki/Equal-cost_multi-path_routing) and the FG will try to load balance the traffic between the two connections (ppp1 and ppp2). A load balancing algorithm is used to decide where the traffic goes through - check the default one (https://docs.fortinet.com/document/fortigate/6.2.9/cookbook/25967/equal-cost-multi-path) .The default static route is automatically added after the ppp connection is up. Is seems that maybe one of your ppp conection has issues.
To avoid load-balancing, you can alter the distance/priority of the default route that is injected in the routing table either in the GUI or the cli under the interface configuration.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot!
I've changed the wrong interface distance and it is working not.
pciurea, GDiFi - you are both life-savers.