Single FortiGate 100F (running FortiOS v6.4.6) that exists within a Closed Network domain - meaning NO public (internet) access. The FWs purpose is to terminate multiple external ports where all traffic ultimately routes though a single port (Port1) that is connected to a Juniper router. The Juniper is a legacy router that Only learns/publishes routes with RIP 2...so using another discovery protocol is not an option.
Of note: I have the FW routing traffic, with NAT and SNAT on multiple ports through Port1, so all the port configurations and routes are correct and functional (having to set static routes in the Juniper router for return traffic - till I can get RIP working).
RIP config only through the UI.
I have set 2 networks to publish (IP's here are exmaples) Networks:
Port1: Send and Receive RIP v2, passive: disabled, Authentication: disabled
Juniper router is receiving NO RIP notices and the FW is not processing RIP packets from the Juniper
- fw # get router info routing-table "No route available"
- fw # get router info rip interface ... port1 is up, line protocol is up RIP is not enabled on this interface ...
So looking at the rip config (below), Port1 IS enabled under RIP - which is concerning since the RIP routing-table (above) reports Port1 as NOT enabled (or is that just a red herring ?)
- config router rip fw (rip) # show config router rip config network edit 1 set prefix 192.168.10.0 255.255.255.0 next edit 2 set prefix 192.168.20.0 255.255.255.0 next end config redistribute "connected" end config redistribute "static" end config redistribute "ospf" end config redistribute "bgp" end config redistribute "isis" end config interface edit "port1" set receive-version 2 set send-version 2 next end
fw # get router info protocols Routing Protocol is "rip"
Sending updates every 30 seconds with +/-50% Timeout after 180 seconds, garbage collect after 120 seconds Outgoing update filter list for all interface is not set Incoming update filter list for all interface is not set Default redistribution metric is 1 Maximum output metric is 15 Redistributing: Default version control: send version 2, receive version 2 Interface Send Recv Key-chain Routing for Networks: 192.168.10.0/24 192.168.20.0/24 Routing Information Sources: Gateway Distance Last Update Bad Packets Bad Routes Distance: (default is 120)
Under "Routing Information Sources" - there's no originating gateway address, so guessing that indicates it's not receiving/processing RIP packets?
Running diagnostic command:
fw ## diagnose sniffer packet any "port 520" interfaces=[any] filters=[port 520] 26.233044 port1 in x.x.x.x.520 -> 188.8.131.52.520: udp 324 55.877770 port1 in x.x.x.x.520 -> 184.108.40.206.520: udp 324 84.327312 port1 in x.x.x.x.520 -> 220.127.116.11.520: udp 324 113.484259 port1 in x.x.x.x.520 -> 18.104.22.168.520: udp 324 140.999009 port1 in x.x.x.x.520 -> 22.214.171.124.520: udp 324 (x.x.x.x - not exposing this address)
This indicates the FW IS receiving RIP from the Juniper.
Note: statistics on the Juniper indicate NO RIPv2 Updates Received - which is consistent with the diagnostic above
Enabling logging (I'm assuming it's to the cli)
fw # diagnose ip router rip all enable Debug messages will be on for 30 minutes.
No message Ever show up - and nothing in the Logs : any of them.
All of the documenntation I've read is terse ... all examples of setting up RIP involve communicating only with Fortinet devices - nothing connected to Cisco, Juniper, etc...
Also, in RIP on Cisco and Juniper, you define the Neighbor - which I assumed would be the Gateway assigned the Port1 (assigned to the Interfaces in the GUI config page for RIP) - but I do not see it defined in the cli. Now, the rip config Does have a 'neighbor' element, which I have manually set to the Juniper router IP ... to no avail.
Can someone please provide me information/guidance on how one would configure this unit to get RIP working? Thank you in advance!
I did a test in a lab after this time with a Cisco switch and the RIP is working normally in 7.2.4. whit minimal configuration:
config router rip config network edit 1 set prefix 10.0.0.0 255.0.0.0 next end config redistribute "connected" set status enable end config redistribute "static" end config redistribute "ospf" end config redistribute "bgp" end config redistribute "isis" end config interface edit "port2" set receive-version 2 set send-version 2 next
and the routing table get populated on both nodes:
GW # get router info routing-table rip Routing table for VRF=0 R 10.101.20.0/24 [120/2] via 10.0.0.101, port2, 00:09:32, [1/0] R 10.101.30.0/24 [120/2] via 10.0.0.101, port2, 00:09:32, [1/0] R 10.101.50.0/24 [120/2] via 10.0.0.101, port2, 00:09:32, [1/0]
on Cisco SW:
IOU-101#show ip rip database 10.0.0.0/8 auto-summary 10.0.0.0/24 directly connected, Ethernet3/3 10.0.10.1/32  via 10.0.0.1, 00:00:07, Ethernet3/3 10.5.0.0/24  via 10.0.0.1, 00:00:07, Ethernet3/3 10.5.11.0/24
I don't think that there is something wrong with the FGT, better check the configuration in Juniper.
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.