Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RichyRoss
New Contributor III

Port being blocked?

Hi All, 

 

CCTV Company is attempting to gain access to their equipment on port 10000 on a public IP on site, however they are telling me port 10000 is blocked.

 

I have an allow any any with no services specified on the Fortigate so it should be passing through. It does work on port 554 however, and I can telnet on port 554 from the Fortigate which shows as open, but not on 10000, and the CCTV company have informed me their device is 100% listening on port 10000 etc.


When I ran a debug I got the below: -

 

Elite_Brenntag_Lutte~4JA # execute telnet 88.202.173.10 10000
Trying 88.202.173.10...
id=65308 trace_id=1 func=print_pkt_detail line=5868 msg="vd-root:1 received a packet(proto=6, 88.202.173.9:18559->88.202.173.10:10000) tun_id=0.0.0.0 from local. flag [S], seq 168818775, ack 0, win 65535"
id=65308 trace_id=1 func=init_ip_session_common line=6049 msg="allocate a new session-017937de, tun_id=0.0.0.0"
id=65308 trace_id=2 func=print_pkt_detail line=5868 msg="vd-root:1 received a packet(proto=6, 88.202.173.10:10000->88.202.173.9:18559) tun_id=0.0.0.0 from lan. flag [R.], seq 0, ack 168818776, win 0"
id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5956 msg="Find an existing session, id-017937de, reply direction"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-88.202.173.9 via root"
Failed to connect to specified unit.

 

 

Any ideas or suggestions please?

 

Thanks,

Rich

1 Solution
abarushka
Staff
Staff

Hello Rich,

 

Based on the provided debug flow I can see that device is sending RESET packet instead of SYN ACK packet.

 

id=65308 trace_id=2 func=print_pkt_detail line=5868 msg="vd-root:1 received a packet(proto=6, 88.202.173.10:10000->88.202.173.9:18559) tun_id=0.0.0.0 from lan. flag [R.], seq 0, ack 168818776, win 0"

FortiGate

View solution in original post

4 REPLIES 4
abarushka
Staff
Staff

Hello Rich,

 

Based on the provided debug flow I can see that device is sending RESET packet instead of SYN ACK packet.

 

id=65308 trace_id=2 func=print_pkt_detail line=5868 msg="vd-root:1 received a packet(proto=6, 88.202.173.10:10000->88.202.173.9:18559) tun_id=0.0.0.0 from lan. flag [R.], seq 0, ack 168818776, win 0"

FortiGate
RichyRoss
New Contributor III

Hello, 

 

That's brilliant thanks for the quick reply.

Assuming therefore it has to be an issue on the device sitting on 88.202.173.10?

 

Thanks, 

 

abarushka

Hello Rich,

 

I would recommend to check the device 88.202.173.10 or (if applicable) another firewall between FortiGate and 88.202.173.10 which is sending REST ACK instead of SYN ACK. FortiGate should receive flag [S.] from 88.202.173.10 instead of [R.] (debug flow).

FortiGate
TXMAULER

Can you put this in "I eat crayons" terms?
Are you saying the Fortinet is having issues resolving sync with the Modem from ISP?
Or Sync with Network device ie, cameras? 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors