Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SC_Alex
New Contributor III

Routing issues - instead of inter vlan routes via wan

Hi, FG-60F instead inter-vlan routing sends packet to wan
traceroute 10.102.9.3
traceroute to 10.102.9.3 (10.102.9.3), 30 hops max, 60 byte packets
1 _gateway (192.168.1.99) 0.404 ms 0.382 ms 0.373 ms
2 customer.abc.net (X.X.0.0) 83.877 ms 73.327 ms 83.850 ms
...

Routing table looks well:

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
V - BGP VPNv4
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via X.X.0.1, wan2, [10/0]
[10/0] via X.X.0.1, wan1, [15/0]
C 10.0.2.0/30 is directly connected, Wireless-B
C 10.0.3.0/30 is directly connected, Wireless-C
C 10.102.1.0/24 is directly connected, vlan-10
C 10.102.2.0/24 is directly connected, vlan-20
C 10.102.3.0/24 is directly connected, vlan-30
C 10.102.6.0/24 is directly connected, vlan-60
C 10.102.7.0/24 is directly connected, vlan-70
C 10.102.8.0/24 is directly connected, vlan-80
C 10.102.9.0/24 is directly connected, vlan-90
C 10.102.11.0/24 is directly connected, vlan-11
C X.X.0.0/10 is directly connected, wan1
C X.X.0.0/22 is directly connected, wan2
C 192.168.1.0/24 is directly connected, internal



And I have policies:

edit 3
set name "11-to-90"
set uuid
set srcintf "vlan-11"
set dstintf "vlan-90"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
edit 14
set name "int-to-90"
set uuid
set srcintf "internal"
set dstintf "vlan-90"
set action accept
set srcaddr "internal"
set dstaddr "vlan-90 address"
set schedule "always"
set service "ALL"
set logtraffic all
next

Any ideas how to fix it?

1 Solution
SC_Alex
New Contributor III

This is solved. Routing was set via policies to support 2 WANs. And I could not suppose that in this case all traffic will be routed to Internet.
Switching to SD-WAN solved the problem, plus adjusted more flexibility on managing routes

View solution in original post

8 REPLIES 8
tdrake2406
New Contributor III

Can you do exec ping-options source 192.168.1.1 and press enter?  Then type the command exec ping 10.102.9.3  Also if the route is connected then traffic should go out that vlan as long as it is not disabled.

SC_Alex
New Contributor III

I did with gw ip exec ping-options source 192.168.1.99
With no result
Version is 7.4.4

 

tdrake2406
New Contributor III

Would you be open to doing a screen share?

SC_Alex
New Contributor III

Sent a personal message

Toshi_Esumi
SuperUser
SuperUser

If you haven't set this yet, add below:

config sys global

   set snat-route-change ena
end

Then try below to clear the stuck sessions:

diag sys session filter clear

diag sys session filter dst 10.102.9.3
diag sys session clear

 

Toshi

SC_Alex
New Contributor III

No result here

hbac
Staff
Staff

Hi @SC_Alex,

 

Please run debug flow and try to ping: 

 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 10.102.9.3
di deb flow filter proto 1
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable

 

Regards,

SC_Alex
New Contributor III

This is solved. Routing was set via policies to support 2 WANs. And I could not suppose that in this case all traffic will be routed to Internet.
Switching to SD-WAN solved the problem, plus adjusted more flexibility on managing routes

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors