Hi all!
I have a Fortigate 30E with multiples VLANs
Corpo = Vlan10
Printers = Vlan13
For testing puposes all services are allowed and all security profiles have been disabled
so the issue im having is intermittent printing from the print server... server says the printer is offline then print many minutes after (30min - 2hours).
when the error occur, i can ping the printer fine from the said server and nmap TCP scan show the ports open. BUT when the printing is not working, nmap UDP scans show ports : open | filtered
while it work, thoses same scans show : open
ive tried resetting printers, changing drivers, using LDP or RAW, disabling SNMP but nothing works
** when printer start working again, it work for at least 5mins without delay before the job start
the issue is with multiples printers from multiples brand & models
Wireshark on printer subnet show no traffic from the printServer
Fortigate : v6.2.11 build1303 (GA)
PrintServer : Windows 2022 (for testing, uninstalled AV & disabled firewall)
when putting the Print server on the same subnet, all is fine and there is no issue
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Anyone ?
Hello,
During the time of issue, can you collect these logs:
diag debug reset
diag debug flow filter clear
diag debug flow filter addr <printer-ip>
diag debug flow show function-name enable
diag debug flow trace start 10000
diag debug enable
Once you execute these commands you can disable debug by executing this command "diag debug disable"
# diag debug reset
# diag debug flow filter clear
# diag debug flow filter addr 192.168.20.204
# diag debug flow show function-name enable
show function name
# diag debug flow trace start 10000
# diag debug enable
FortiGateName # id=20085 trace_id=1 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2488->192.168.20.204:515) from Corpo. flag [S], seq 716594529, ack 0, win 64240"
id=20085 trace_id=1 func=init_ip_session_common line=5858 msg="allocate a new session-00a01f0d"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.20.204 via lan"
id=20085 trace_id=1 func=fw_forward_handler line=785 msg="Allowed by Policy-31:"
id=20085 trace_id=2 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2488->192.168.20.204:515) from Corpo. flag [S], seq 716594529, ack 0, win 64240"
id=20085 trace_id=2 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f0d, original direction"
id=20085 trace_id=3 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2488->192.168.20.204:515) from Corpo. flag [S], seq 716594529, ack 0, win 64240"
id=20085 trace_id=3 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f0d, original direction"
id=20085 trace_id=4 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2488->192.168.20.204:515) from Corpo. flag [S], seq 716594529, ack 0, win 64240"
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f0d, original direction"
id=20085 trace_id=5 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=5 func=init_ip_session_common line=5858 msg="allocate a new session-00a01f49"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.20.204 via lan"
id=20085 trace_id=5 func=fw_forward_handler line=785 msg="Allowed by Policy-31:"
id=20085 trace_id=6 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2488->192.168.20.204:515) from Corpo. flag [S], seq 716594529, ack 0, win 64240"
id=20085 trace_id=6 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f0d, original direction"
id=20085 trace_id=7 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=7 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=7 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=8 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2489->192.168.20.204:515) from Corpo. flag [S], seq 874848986, ack 0, win 64240"
id=20085 trace_id=8 func=init_ip_session_common line=5858 msg="allocate a new session-00a01fce"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.20.204 via lan"
id=20085 trace_id=8 func=fw_forward_handler line=785 msg="Allowed by Policy-31:"
id=20085 trace_id=9 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2489->192.168.20.204:515) from Corpo. flag [S], seq 874848986, ack 0, win 64240"
id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01fce, original direction"
id=20085 trace_id=10 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2489->192.168.20.204:515) from Corpo. flag [S], seq 874848986, ack 0, win 64240"
id=20085 trace_id=10 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01fce, original direction"
id=20085 trace_id=11 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2489->192.168.20.204:515) from Corpo. flag [S], seq 874848986, ack 0, win 64240"
id=20085 trace_id=11 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01fce, original direction"
id=20085 trace_id=12 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=12 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=12 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=13 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2489->192.168.20.204:515) from Corpo. flag [S], seq 874848986, ack 0, win 64240"
id=20085 trace_id=13 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01fce, original direction"
id=20085 trace_id=14 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2493->192.168.20.204:515) from Corpo. flag [S], seq 2134432123, ack 0, win 64240"
id=20085 trace_id=14 func=init_ip_session_common line=5858 msg="allocate a new session-00a020b8"
id=20085 trace_id=14 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.20.204 via lan"
id=20085 trace_id=14 func=fw_forward_handler line=785 msg="Allowed by Policy-31:"
id=20085 trace_id=15 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2493->192.168.20.204:515) from Corpo. flag [S], seq 2134432123, ack 0, win 64240"
id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a020b8, original direction"
id=20085 trace_id=16 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=16 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=16 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=17 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2493->192.168.20.204:515) from Corpo. flag [S], seq 2134432123, ack 0, win 64240"
id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a020b8, original direction"
id=20085 trace_id=18 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=18 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=19 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=19 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=20 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2493->192.168.20.204:515) from Corpo. flag [S], seq 2134432123, ack 0, win 64240"
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a020b8, original direction"
id=20085 trace_id=21 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=21 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=21 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=22 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=22 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=23 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=6, 10.25.25.244:2493->192.168.20.204:515) from Corpo. flag [S], seq 2134432123, ack 0, win 64240"
id=20085 trace_id=23 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a020b8, original direction"
id=20085 trace_id=24 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=24 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=24 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=25 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=25 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=25 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=26 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=26 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=26 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=27 func=print_pkt_detail line=5688 msg="vd-root:0 received a packet(proto=17, 10.25.25.244:53199->192.168.20.204:161) from Corpo. "
id=20085 trace_id=27 func=resolve_ip_tuple_fast line=5768 msg="Find an existing session, id-00a01f49, original direction"
id=20085 trace_id=27 func=ipv4_fast_cb line=53 msg="enter fast path"
I just did a router Pcap and see Retransmission
Pcap is from Printer interface
Not sure if it is the same issue, but I had similiar situation there. Helped me to create Policy between printers and servers with NAT enabled.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.