Possible Routing Problem, need help, FortiGate 30E OS: 5.6.3, Router/NAT mode

Question

Hello,

I need some help with a weird problem...

I have a customer, we need to separate his network into different zones behind a FortiGate 30E (OS: 5.6.3, Router Mode).

Please see attached file for the actual network structure.

There's this 192.168.0.0/24 network right behind the ASUS DSL-AC68U Internet Router. And, by now 2 networks behind the FortiGate.

I've configured some static route on the router and also one static route on the FG directing traffic to the router as standard gateway to I-Net.

But now there seems to be a problem:

In inconstant time intervals the clients still in 192.168.0.0/24 network have problems to connect to I-Net targets and also to targets behind the firewall. The internet connection itself is still online and after a few seconds the clients are able to connect. But connecting to targets behind the firewall does not work.

Some examples:

Pinging from laptop (wifi) to PBX (192.168.2.1) will not work, when using tracert to this target, the first two packets are dropped, the third works and target is reached. But the softphone client is not able to connect to PBX via SSL or XMPP (VOIP unable to say).

Some devices (LAN cable connected) having drop outs within the internet connection and are not connecting to other internal systems.

Sometimes I cannot connect to internal (192.168.0.0/24) devices from laptop or smartphone while in the same network but connected via wifi.

I'm almost sure that there's a routing problem.

I do not have routing protocols configured but only static routes. (at least I dont think there are any routing protocols in place).

Does one see any mistakes in this configuration?

What could I do to debug this issue?

Any hints what to try on firewall, router, clients?

Regards

Olaf

okoester · Answer

Hi,

while trying to debug this problem, it turned out that this does not seem to be a routing problem.

I tried to trace the issue with wireshark from my client and it turnes ot that there are MANY retransmissions bewteen my client and the PBX behind the firewall. (192.168.0.112 = client, 192.168.3.1 = PBX)

When connecting the PBX directly to the same network segment withot the FG, the numer of retransmissions decreases significantly. So from my understanding the FG produces the issue...

But how can I figure out which setting might cause this?

I can see this retransmissions also on FG:

FGT30E3Uxxxxxxxx # diag sniffer packet any 'host 192.168.3.1 and host 192.168.0.112 and tcp port 5222' 4 30 interfaces=[any] filters=[host 192.168.3.1 and host 192.168.0.112 and tcp port 5222] 13.620620 wan in 192.168.0.112.58918 -> 192.168.3.1.5222: syn 2586665226 13.620690 LAN-T out 192.168.0.112.58918 -> 192.168.3.1.5222: syn 2586665226 13.620695 eth0 out 192.168.0.112.58918 -> 192.168.3.1.5222: syn 2586665226 [style="background-color: #ffff00;"]13.621053 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]13.621086 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]14.660829 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]14.660846 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] 15.060844 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58914: syn 788604522 ack 1217696550 [style="background-color: #ffff00;"]16.860887 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]16.860905 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]21.060970 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]21.060985 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]29.061144 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]29.061163 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] 43.623234 wan in 192.168.0.112.58922 -> 192.168.3.1.5222: syn 4184245480 43.623295 LAN-T out 192.168.0.112.58922 -> 192.168.3.1.5222: syn 4184245480 43.623300 eth0 out 192.168.0.112.58922 -> 192.168.3.1.5222: syn 4184245480 43.623697 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 43.623729 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 45.061484 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 45.061501 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 45.061507 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227 47.061533 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 47.061553 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 51.461626 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 51.461643 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 ^C 27 packets received by filter 0 packets dropped by kernel As mentioned earlier, NAT is not enabled and is not an option. I don't want to mess around with port forwardings on a internal device if it ist not really necessary... ;-)

Any help is really appreciated...

Regards and a merry christmas

Olaf

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded