- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Policy LAN-to-LAN does not work
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy LAN-to-LAN does not work
Hi Gurus,
I have problem in my rules from LAN (private IP) to LAN (public IP)/(private IP). My FG-1500D has 4 ports used, single VDOM, FOS 5.2.2 (GA).
port26 - connected to ISP
port22 - connected to 103.x.x.x/25
port23 - connected to 172.27.18.0/24
port34 - create some vlans, i.e 172.27.1.0/24, 172.27.2.0/24, etc
I have static route to internet, via port26. I have all routing for all ip subnet and ports in monitor, and look works correctly. I have policies:
1. from all ports to port26, its working properly
2. from port26 to port22, its working properly
3. from port34 (vlans) to port22, it DOES NOT work
4. from port34 (vans) to port23, it DOES NOT work
5. from port23 to port22, it DOES NOT work
I need some advises to solve this problem..
Many thanks,
Regards,
Daniel
Regards,
Daniel
Regards,
Daniel
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also 2nd the diag debug flow but also ensure if your using DHCP dynamic that you gave the right next-hop gateway out to your clients in the lans that don't work. But it seems like your problem are all 802.1q tagged subinterfaces so I'm guessing you should start at layer2. So have you ensured these are are correct configured in the layer2 setup and switch?
Can a host in the vlanXXX ping the fortigate L3 interface address in vlanXXX ( ensure allowacces ping is enabled )?
Can you source a ping from the fgt using the L3 subinterface address on vlanXXX and ping the outh lans or private/public ip
e.g
execute ping-option source x.x.x.x
execute ping y.y.y.y ( with y.y.y.y being an address on internet or another interface )
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:I also 2nd the diag debug flow but also ensure if your using DHCP dynamic that you gave the right next-hop gateway out to your clients in the lans that don't work. But it seems like your problem are all 802.1q tagged subinterfaces so I'm guessing you should start at layer2. So have you ensured these are are correct configured in the layer2 setup and switch?
Can a host in the vlanXXX ping the fortigate L3 interface address in vlanXXX ( ensure allowacces ping is enabled )?
Can you source a ping from the fgt using the L3 subinterface address on vlanXXX and ping the outh lans or private/public ip
e.g
execute ping-option source x.x.x.x
execute ping y.y.y.y ( with y.y.y.y being an address on internet or another interface )
Hi,
Yes, I am using DHCP for wifi clients. And create some vlans in port34, each vlan has its ip address act as gateway for the lan.
I can't get the result from:
execute ping-option source 172.27.25.1
execute ping 8.8.8.8 ( with y.y.y.y being an address on internet or another interface )
BUT my clients on that subnet can access internet normally, just cannot access to port22 and port23..
I have a good news, from now I can traceroute to subnet 103.x.x.0/25 lay on port22 and also ping.
for the other port23, its 172.27.18.0/24 still cannot reach from vlans in port34..
regards,
Daniel
Regards,
Daniel
Regards,
Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
msg="DNAT 103.229.203.2:40048->172.27.212.100:40048"
Firewall is doing destination nat that means there is vip configured for 103.229.203.2.
Please check the vip configuration if this is created by mistake.
Also have you set the interface as any for vip.
If you delete the vip the traffic should work.
Post the vip configuration if you need help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2015-02-19 05:49:38 id=20085 trace_id=281 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.25.81:1->172.27.18.102:8) from vlan_26_puskom. code=8, type=0, id=1, seq=3188." 2015-02-19 05:49:38 id=20085 trace_id=281 func=init_ip_session_common line=4522 msg="allocate a new session-006986f1" 2015-02-19 05:49:38 id=20085 trace_id=281 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.27.18.102 via vlan_19_server" 2015-02-19 05:49:38 id=20085 trace_id=281 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 0)"
If this is the packet than check the following:
1)Do you have policy between vlan_26_puskom and vlan_19_server?
2) Is the service set to All (check if all has protocol any, not only tcp)
3) Is the incoming and outgoing interface correct as per design
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ashukla wrote:2015-02-19 05:49:38 id=20085 trace_id=281 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.25.81:1->172.27.18.102:8) from vlan_26_puskom. code=8, type=0, id=1, seq=3188." 2015-02-19 05:49:38 id=20085 trace_id=281 func=init_ip_session_common line=4522 msg="allocate a new session-006986f1" 2015-02-19 05:49:38 id=20085 trace_id=281 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-172.27.18.102 via vlan_19_server" 2015-02-19 05:49:38 id=20085 trace_id=281 func=fw_forward_handler line=545 msg="Denied by forward policy check (policy 0)"
If this is the packet than check the following:
1)Do you have policy between vlan_26_puskom and vlan_19_server?
2) Is the service set to All (check if all has protocol any, not only tcp)
3) Is the incoming and outgoing interface correct as per design
Hi Ashukla,
I'm sorry forgot to change the policy. Last night I change the port type from physical type (port23) become vlan type (vlan_19_server) on port23, but not change the policy. Now, I can reach those area (vlan_19_server, servers in 172.27.18.0/24).
But, I still have question about policy "from ANY to port22". Since first time create this policy, it does not work. When tracing to servers in this area (connected to port22), always redirect to internet (port26). But last night when I come to site and test the connection.., it works.
Thank you for your response..., also thanks to all of you that response to my case.
By now, my cases are solve.
Regards,
Daniel
Regards,
Daniel
Regards,
Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daniel,
That could be due to the existing session on the Fortigate. Clearing the session before testing might have helped to confirm the behavior.
Cheers
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have problem accessing port22, some IP address accessible but some can not reach. I can ping from FGT's interface to the servers. But only some IP response from other side (LAN). Here is the capture from debug..
2015-02-20 19:15:29 id=20085 trace_id=453 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.219.254:34075->103.229.202.78:8) from vlan_staf_aruba. code=8, type=0, id=34075, seq=16." 2015-02-20 19:15:29 id=20085 trace_id=453 func=init_ip_session_common line=4522 msg="allocate a new session-0214e4ad" 2015-02-20 19:15:29 id=20085 trace_id=453 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Need your help ASAP.. thank you.
Daniel
Regards,
Daniel
Regards,
Daniel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
teri.ireng wrote:Hi,
I have problem accessing port22, some IP address accessible but some can not reach. I can ping from FGT's interface to the servers. But only some IP response from other side (LAN). Here is the capture from debug..
2015-02-20 19:15:29 id=20085 trace_id=453 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.219.254:34075->103.229.202.78:8) from vlan_staf_aruba. code=8, type=0, id=34075, seq=16." 2015-02-20 19:15:29 id=20085 trace_id=453 func=init_ip_session_common line=4522 msg="allocate a new session-0214e4ad" 2015-02-20 19:15:29 id=20085 trace_id=453 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Need your help ASAP.. thank you.
Daniel
Check if you have any ip-pool configured for ip 103.229.202.78.
Check if ip-pool range contains this ip and if so remove it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ashukla wrote:teri.ireng wrote:Hi,
I have problem accessing port22, some IP address accessible but some can not reach. I can ping from FGT's interface to the servers. But only some IP response from other side (LAN). Here is the capture from debug..
2015-02-20 19:15:29 id=20085 trace_id=453 func=print_pkt_detail line=4373 msg="vd-root received a packet(proto=1, 172.27.219.254:34075->103.229.202.78:8) from vlan_staf_aruba. code=8, type=0, id=34075, seq=16." 2015-02-20 19:15:29 id=20085 trace_id=453 func=init_ip_session_common line=4522 msg="allocate a new session-0214e4ad" 2015-02-20 19:15:29 id=20085 trace_id=453 func=fw_local_in_handler line=382 msg="iprope_in_check() check failed on policy 0, drop"
Need your help ASAP.. thank you.
Daniel
Check if you have any ip-pool configured for ip 103.229.202.78.
Check if ip-pool range contains this ip and if so remove it.
Hi,
Yes I have those ip-pool, its mistypo should be .203.78
It solved the problem.
Thank you.
Daniel
Regards,
Daniel
Regards,
Daniel
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Transparent VLAN between Fortigate port and... 118 Views
- Site to Site IP Sec with... 89 Views
- win11 + fortiToken + forticlient VPN 232 Views
- Adding FortiGate to FortiManager in EVE-NG 142 Views
- Fortiswitch NAC user policy identification 133 Views
Labels
-
FortiGate
7,170 -
FortiClient
1,416 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
457 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
108 -
SSL-VPN
105 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
SSL SSH inspection
11 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1067 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.