- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problem with fortigate 30E and network printer
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with fortigate 30E and network printer
Hi all,
Hope this is posted where it's supposed, I'm new in the forum and not so sure how it works.
Recently we changed our previous VPN structure (some old cisco devices) with FortiGate 30E and all was working perfectly till some printers stopped working.
The main server (windows 2012) can't ping the IP of the printers in few offices (we have the HQ in the subnet 1 and the offices are 2-5).
The other computers can ping correctly but they doesn't have those printers installed. The clients use RDP to access server and print from there.
It's like if when the tunnel goes off and on again when traffic starts again, the printer IP get stuck. If I go physically and change the IP of the printer to a number available (192.168.2.11 to 192.168.2.12) and install the printer it works again, but I cannot be doing this too often.
Any idea what is happening here?
Thank you in advance,
Neo.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably print sessions got stuck but let me verify the topology first. You have Fortigate30Es at HQ and remote locations and they're connected over VPNs (IPSec). Those printers are installed at each remote location but print servers are installed at the RDP terminal server (or maybe at another device at HQ) to do print jobs.
If this is correct then the problem happens only after the VPN connected to the location where the printer is and it comes back up, the print sessions are re-directed toward the next available route, likely the default route, then dies there because the printer's IP is in the private range.
It's not so often, you can clear the stuck session when VPN came back up manually to let a fresh session start. But a permanent solution is to block the private range (remote location subnets) from going toward the default route with a policy.
But first check the stacked session at HQ's FG. You can do like below while it's happening:
# diag sys session filter dst <PRINTER_IP>
# diag sys session list
Then you would get like below. This example is my ping session toward 8.8.8.8.
session info: proto=1 proto_state=00 duration=3 expire=59 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty none statistic(bytes/packets/allow_err): org=240/4/1 reply=240/4/1 tuples=2 tx speed(Bps/kbps): 66/0 rx speed(Bps/kbps): 66/0 orgin->sink: org pre->post, reply pre->post dev=8->26/26->8 gwy=[INET_GW]/[MY_PC_IP] hook=post dir=org act=snat [MY_PC_IP]:1->8.8.8.8:8([FG'S_OUTSIDE_IP]:62464) hook=pre dir=reply act=dnat 8.8.8.8:62464->[FG'S_OUTSIDE_IP]:0([MY_PC_IP]:1) misc=0 policy_id=2 auth_info=0 chk_client_info=0 vd=0 serial=02fa733b tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 npu_state=0x020001 no_offload no_ofld_reason: disabled-by-policy sflow total session 1
You can determine which direction it's going based on the "gyw=". Then it's not the VPN, you can clear it by:
# diag session clear
Then it should start working again if VPN is up at that time. But it would be a temp fix. You need a policy to block it from happening.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A typo:
# diag sys session clear
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for not answering (I rebooted everything during launch time that day and until this happened again had no info to give).
That command shows 2 session because we have 2 windows server
session info: proto=17 proto_state=00 duration=102388 expire=172 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=may_dirty statistic(bytes/packets/allow_err): org=542826/5121/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 5/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=15->4/4->15 gwy=192.168.0.1/0.0.0.0 hook=post dir=org act=snat 192.168.1.SV2:1035->192.168.5.31:161(192.168.0.2:61451) hook=pre dir=reply act=dnat 192.168.5.31:161->192.168.0.2:61451(192.168.1.SV2:1035) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000bca3 tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 session info: proto=17 proto_state=00 duration=102074 expire=175 timeout=0 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=may_dirty statistic(bytes/packets/allow_err): org=1054984/9683/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 10/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=15->4/4->15 gwy=192.168.0.1/0.0.0.0 hook=post dir=org act=snat 192.168.1.SV1:53096->192.168.5.31:161(192.168.0.2:53096) hook=pre dir=reply act=dnat 192.168.5.31:161->192.168.0.2:53096(192.168.1.SV1:53096) misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=0000bcec tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 total session 2
In the case of the others 2 printers offline now, there are 138 and 131 sessions each.
As you said, clearing the session was enough to temporary fix this but I'd need some help to apply the permanent solution.
Thanks again,
Neo.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you saw, it's following the default route (0.0.0.0) and the NAT/toward-the-Internet policy from an interface/zone the servers are coming from to an interface/zone to go out to the internet. You just need to add a new policy specifying the same sets of the interfaces/zones, but adding destination subnets, like 192.168.0.0/16, as destination addresses, then set the action to deny. Then don't forget to move it above the existing policy to be effective. So when the VPNs are down, those printing packets would never go toward the internet. And the sessions.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The printer program is likely to use a discovery protocol of the broadcast type that will not be forwarded through VLANs. In the policies that are a CLI option only, you can allow broadcast-forward. But in the first place, this will defeat the intent of making VLANs. Your best bet is to find out why the [link=https://printerhow.com]printer how[/link]-outs are "ugly" when configured using IP.
My Life My Style
My Life My Style
Related Posts
Labels
-
FortiGate
6,566 -
FortiClient
1,308 -
5.2
801 -
5.4
639 -
FortiManager
566 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
336 -
FortiAP
336 -
FortiClient EMS
267 -
6.2
251 -
FortiMail
243 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
61 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
25 -
Firewall policy
24 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
15 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
Logging
11 -
LDAP
10 -
Virtual IP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
IP address management - IPAM
7 -
4.0
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Traffic shaping policy
5 -
SNMP
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Web application firewall profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Web profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
Fortinet Engage Partner Program
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Schedule
1 -
SDN connector
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Web rating
1 -
FortiManager-VM
1 -
Email filter profile
1 -
Multicast routing
1 -
Internet Service Database
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1 -
System settings
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.