Hello,
we just had a strange problem trying to install a FG cluster for a Zywall FW. Everything went OK besides the routing and connection to our MPLS network, we cant ping and we dont have access (tried also with ALL to ALL).
I think it is clearly an issue of the MPLS provider since we also tried directly with a laptop behin the MPLS router and the same IP and gateway and we cant access either.
Also routing should be fine, in Routing Monitor the FG sends the packet for the correct route and doing a tracert we get like 6 hops and than it stops.
We never had this issue with our MPLS provider but this is a installation abroad. Is it possible that they have a policy that just the old Zywall can have access to the MPLS network? With tracert behind the Zywal I get the exactm sma hops but it works with the FG or with my laptop I have same hops but it stops after 15ms and hop 7.
I am pretty sure that only our MPLS provider can solve the issue or am I missing something?
Thanks and regards,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to show us your network topology, how the HA FGTs are connected to MPLS router and the Zywall FW. Hopefully you have a simple network diagram to share.
Toshi
I misread your first sentence and didn't realize you just replaced Zywall with the FGT. Then the first&the last thing I would do is to call the MPLS provider. We can speculate what might be happening inside of the MPLS network if you provide more detail like what subnets are on the other ends of the MPLS network and your results of traceroutes. But nothing would help fixing the problem until you call them and they take a look at it.
Toshi
I think you answered the question for yourself when you said your laptop has the exact same problem as the FortiGate. Sounds like this is not a FortiGate issue and definitely something to do with your WAN link.
You could try cloning the Zywall's MAC address onto the FortiGate and see if it works. Try in non-HA mode though as HA will use a virtual MAC.
config system interface
edit "wan"
set macaddr XX:XX:XX:XX:XX:XX
Another question for you, these hops you are seeing in traceroute are they internal hops or external? How many hops do you see beyond the FortiGate before it stops?
I remember having a lot of problems with a MPLS provider, and it always turned out to be their routing. I don't think the MAC has anything to do with that, as it's lost after the first hop (which even the FGT is able to get beyond). But authentication is something you should really be looking into.
In the end, they fixed their issues, we did nothing, and it worked.
Hi @ede_pfau ,
Looking at your statement, you already did troubleshooting by direct connect to the MPLS itself.
Somehow its now working. This indicate something wrong on the MPLS side.
I would suggest to invite MPLS technical to onsite and do the troubleshooting.
Hi,
this was indeed a big failure of the MPLS provider. They changed their routers some months ago and didnt change the configuration, for me it is still a wonder why it was working with the Zywall but again, the first router had a bad route to the old router which was not in use anymore. They changed the route and we had access.
Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.