Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dauger
New Contributor

Responding on HA IP address

Hi,

 

I wasn't sure which topic that my question fell into since it's a mix of network routing/HA. I found the following error below (some information is redacted) in my firewall logs. I've done research on what was actually happening on the firewall and determined that the firewall's external port (IP X.X.X.X) was reaching out to fortiguard.com (35.197.51.42). The firewall is running HA and I've found that "HA inter-VDOM link interfaces on the primary unit are assigned IP addresses 169.254.0.65 and 169.254.0.66" (http://kb.fortinet.com/kb...o?externalId=FD32155).

Mar 22 06:48:36 devicevrr date=2018-03-22 time=06:48:36 devname=device1 devid=FG200D1111111111 logid=0100020085 type=event subtype=system level=information vd="root" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=04000200 tuple-num=2 policyid=0 dir=0 act=1 hook=4 169.254.0.65:21978->35.197.51.42:80(X.X.X.X:21978) dir=1 act=2 hook=0 35.197.51.42:80->X.X.X.X:21978(169.254.0.65:21978)" old_status="state=00004200 tuple-num=2 policyid=0 dir=0 act=0 hook=3 X.X.X.X:21978->35.197.51.42:80(0.0.0.0:0) dir=1 act=0 hook=1 35.197.51.42:80->X.X.X.X:21978(0.0.0.0:0)"

I'm wondering why the firewall would have attempted to respond on the HA IP address 169.254.0.65. I wasn't able to find any other log entries which indicated that this was happening. This only was noticed due to the session clash that occurred between the HA IP and the external IP. Any clarification would be appreciated.

 

Thanks, Dan

2 REPLIES 2
emnoc
Esteemed Contributor III

Read this

 

http://kb.fortinet.com/kb/viewContent.do?externalId=FD32155

 

is that explicable  to your situation?

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
dauger
New Contributor

We saw this traffic specifically destined to FortiGuard so if it works similarly to a FortiAnalyzer then it could be. I'm not sure how I would determine if the FortiGates are running MR7, but we are using HA.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors