Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Matie
New Contributor

Problem with connection

Hello, can someone take advice, why I cannot ping router interface and therefore internet from Linux?

Traceroute from Linux is useless -> no information 

I have static default 0 route from FortiGate pointing to 23.1.2.1. I have policy from port 3 to port 2. And I have central SNAT from port 3 to port 2, where I translate to outgoing interface - no hit count.

When I try to diagnose, I see only echo request and no echo reply. I dont know why. Any tip?

What is working is ping from Linux to fortigate:

10.10.10.49/24 ping to 10.10.10.71/24 -> ok

10.10.10.49/24 ping to 23.1.2.71/24 -> ok - policy take that traffic, I have some bytes

10.10.10.49 ping to 23.1.2.1 -> not ok - policy doesn't work, No more bytes

10.10.10.49 ping to 8.8.8.8 -> not ok

Also ping from Fortigate to internet 8.8.8.8 is working

FortiGate ping to 8.8.8.8 -> ok

Please help and bear with me. I am a new guy in Fortinet

 

 

Topology.jpg

 

Linux.jpg

 

Ping.jpg

 

Ping Fortigate to internet.jpg

 

Interfaces.jpg

 

Static route.jpg

Central SNAT.jpg

Policies.jpg

First diagnose with Policy.jpg

Second diagnose without policy.jpg

Third diagnose.jpg

Fourth diagnose.jpg

Fifth diagnose.jpg

11 REPLIES 11
akristof
Staff
Staff

Hi,

Can you rerun the debug flow with these two commands:

diag debug flow show func en

diag debug flow show iprope en?

Adrian
Matie
New Contributor

Hi Adrian,

can you please tell me, how exactly should I type these commands. In which queue. Please bear with me, because I am new in Fortinet. I have typed commands like this. I don't know whether it is ok or don't. Please check output and let me know. Thank You
Debug.jpg

akumarr

Hi Matie.

Please use the below-mentioned commands,

diag deb disable
diag deb reset
diag deb flow filter daddr x.x.x.x
diag deb flow filter proto 1
diag debug flow show iprope en
diag deb flow sh fun en
diag deb flow trace start 999
diag deb en


You can replace x.x.x.x with the destination IP and you can use any destination.
I suggest you to use 4.2.2.2, also please try to send 2 or 3 packets.
Kindly avoid continuous ping



Best regards,
ARUNKUMAR.R.
Matie
New Contributor

Hi Arunkumar

I have issued the commands as you mentioned. This is final output. I hope it helps. Please let me know what you see in this output. I hope there is an answer for my problem. Thank you.

Debug.jpg

akumarr

Dear Matie.

Could you please copy and paste the complete output/image.

Best regards,
ARUNKUMAR.R.
akristof

This might be silly question, can you share with me output "show system settings"?

Adrian
Matie
New Contributor

I am sorry. I have never did the debugs. Here you can find output from show system settings. The output of previous commands are repeating. I have made 3 pings. Second picture is output of these commands. I am pinging from linux device.
System settings.jpg

Debug.jpg

Matie
New Contributor

I gave you complete output. I am pinging from linux device. I have never did the debug on fortigate yet. I am like a fortinet virgin :D. So please check output of commands what have you typed and let me know if something missing.

Matie
New Contributor

Hi Akumarr,

can you please tell me, why is my output so short? Why it doesn't display policies, NAT translation? I have configured policies and NAT. It looks like it shows only static route. I dont understand why I dont see other things. What should I do to configure it right way? Thank You. I will send other outputs if you want and tell me what output you need.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors