Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Possible Routing Problem, need help, FortiGate 30E...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Possible Routing Problem, need help, FortiGate 30E OS: 5.6.3, Router/NAT mode
Hello,
I need some help with a weird problem...
I have a customer, we need to separate his network into different zones behind a FortiGate 30E (OS: 5.6.3, Router Mode).
Please see attached file for the actual network structure.
There's this 192.168.0.0/24 network right behind the ASUS DSL-AC68U Internet Router. And, by now 2 networks behind the FortiGate.
I've configured some static route on the router and also one static route on the FG directing traffic to the router as standard gateway to I-Net.
But now there seems to be a problem:
In inconstant time intervals the clients still in 192.168.0.0/24 network have problems to connect to I-Net targets and also to targets behind the firewall. The internet connection itself is still online and after a few seconds the clients are able to connect. But connecting to targets behind the firewall does not work.
Some examples:
Pinging from laptop (wifi) to PBX (192.168.2.1) will not work, when using tracert to this target, the first two packets are dropped, the third works and target is reached. But the softphone client is not able to connect to PBX via SSL or XMPP (VOIP unable to say).
Some devices (LAN cable connected) having drop outs within the internet connection and are not connecting to other internal systems.
Sometimes I cannot connect to internal (192.168.0.0/24) devices from laptop or smartphone while in the same network but connected via wifi.
I'm almost sure that there's a routing problem.
I do not have routing protocols configured but only static routes. (at least I dont think there are any routing protocols in place).
Does one see any mistakes in this configuration?
What could I do to debug this issue?
Any hints what to try on firewall, router, clients?
Regards
Olaf
---
Olaf Köster
8S IT-Sicherheit e.K.
+49 2641 903 423
Several FortiGate 30E in place
---
Olaf Köster
8S IT-Sicherheit e.K.
+49 2641 903 423
info@8s-itsicherheit.com
Several FortiGate 30E in place
Labels:
- Labels:
-
5.6
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
while trying to debug this problem, it turned out that this does not seem to be a routing problem.
I tried to trace the issue with wireshark from my client and it turnes ot that there are MANY retransmissions bewteen my client and the PBX behind the firewall. (192.168.0.112 = client, 192.168.3.1 = PBX)
When connecting the PBX directly to the same network segment withot the FG, the numer of retransmissions decreases significantly. So from my understanding the FG produces the issue...
But how can I figure out which setting might cause this?
I can see this retransmissions also on FG:
FGT30E3Uxxxxxxxx # diag sniffer packet any 'host 192.168.3.1 and host 192.168.0.112 and tcp port 5222' 4 30 interfaces=[any] filters=[host 192.168.3.1 and host 192.168.0.112 and tcp port 5222] 13.620620 wan in 192.168.0.112.58918 -> 192.168.3.1.5222: syn 2586665226 13.620690 LAN-T out 192.168.0.112.58918 -> 192.168.3.1.5222: syn 2586665226 13.620695 eth0 out 192.168.0.112.58918 -> 192.168.3.1.5222: syn 2586665226 [style="background-color: #ffff00;"]13.621053 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]13.621086 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]14.660829 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]14.660846 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] 15.060844 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58914: syn 788604522 ack 1217696550 [style="background-color: #ffff00;"]16.860887 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]16.860905 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]21.060970 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]21.060985 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]29.061144 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] [style="background-color: #ffff00;"]29.061163 wan out 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227[/style] 43.623234 wan in 192.168.0.112.58922 -> 192.168.3.1.5222: syn 4184245480 43.623295 LAN-T out 192.168.0.112.58922 -> 192.168.3.1.5222: syn 4184245480 43.623300 eth0 out 192.168.0.112.58922 -> 192.168.3.1.5222: syn 4184245480 43.623697 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 43.623729 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 45.061484 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 45.061501 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 45.061507 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58918: syn 668737939 ack 2586665227 47.061533 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 47.061553 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 51.461626 LAN-T in 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 51.461643 wan out 192.168.3.1.5222 -> 192.168.0.112.58922: syn 3440653921 ack 4184245481 ^C 27 packets received by filter 0 packets dropped by kernel As mentioned earlier, NAT is not enabled and is not an option. I don't want to mess around with port forwardings on a internal device if it ist not really necessary... ;-)
Any help is really appreciated...
Regards and a merry christmas
Olaf
---
Olaf Köster
8S IT-Sicherheit e.K.
+49 2641 903 423
Several FortiGate 30E in place
---
Olaf Köster
8S IT-Sicherheit e.K.
+49 2641 903 423
info@8s-itsicherheit.com
Several FortiGate 30E in place
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Disabling a policy on Fortigate 4401F... 171 Views
- Cannot ping to SSL clients 88 Views
- Phone reset or lost cannot activate... 69 Views
- Fortigate ssl-vpn portal "Enabled for Trusted... 61 Views
- FortiGate VPN IPSec Tx Error 113 Views
Labels
-
FortiGate
8,391 -
FortiClient
1,697 -
5.2
801 -
FortiManager
709 -
5.4
639 -
FortiAnalyzer
539 -
FortiSwitch
455 -
FortiAP
451 -
6.0
416 -
FortiClient EMS
398 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
180 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiGateCloud
100 -
FortiSIEM
98 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
52 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
NAT
30 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1640 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.