Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
velosy
New Contributor II

Created on ‎06-25-2024 10:41 AM

SSH to Vdom Link IP Address

I have a Fortigate firewall with x2 VDOMs, root and user created called "management access".

 

root and management access have an inter-vdom link between them to exchange traffic and because of the requirements root is the "management vdom" and used as management access for us to manage our customers firewall. The problem I am facing is that you cant configure SNMP in a non "management vdom", so I have configured SNMP on the inter vdom link in root as a workaround which the management access vdom is directly connected to.

 

The problem is I cant seem to SSH onto the firewall using the intervdom link from our management jump box.

Does anyone know if its possible to SSH to a Fortigate on an intervdom link from outside the Fortigate firewall? I have checked routing+firewall policies but it does not appear to work.

Labels:
284
0 Kudos
8 REPLIES 8
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-25-2024 11:10 AM

vlinks/npu-vlinks are just another type of interface so you can allow admin access (SSH, HTTPS) to them. I just tested it with an npu-vlink and working file on my 40F.
Are you sure you have a policy where you're coming from to the vlink interface?

Toshi

275
0 Kudos
velosy
New Contributor II

Created on ‎06-25-2024 11:14 AM

Hi, Thanks for your quick response.

 

So I have a site to site VPN, that lands in my "Management access" VPN.  I have policy from the tunnel interface to the local inter vdom link allowing the traffic.

 

Because the root inter vdom link is on the edge, I should not need a policy there?

271
0 Kudos
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-25-2024 11:27 AM

Are you trying to access on the opposite side of the vlink through root vdom? Then, do you have a return route in the customer vdom side for your source IP?

Toshi

250
0 Kudos
velosy
New Contributor II
In response to Toshi_Esumi

Created on ‎06-25-2024 01:03 PM

Yes I am pinging/ssh the opposite vdom's, vdom link and I can see return traffic on the source vdom firewall logs, but the ping times out on the client.

 

 

image.png

223
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to velosy

Created on ‎06-25-2024 01:34 PM

If even ping doesn't work, it must be a routing issue on the customer vdom side.
Try sniff on the vlink interface on that vdom side like below. In below, "rt2tst1 is the npu-vlink interface on the test-vdom side as you can see in the promp. And 10.100.64.1/31 is the interface IP. I pinged it by coming through root vdom. If a proper route for the source IP (10.68.3.231), you should see the echo replies like below. I have a default route toward root vdom. You might need to filter out other traffic by specifying "icmp" and/or source IP to eliminate other noise.

 

fg40f-utm (test-vdom) # diag sniffer packet rt2tst1
interfaces=[rt2tst1]
filters=[none]
20.965328 arp who-has 10.100.64.1 tell 10.100.64.0
20.965375 arp reply 10.100.64.1 is-at 02:23:ff:22:d8:ff
20.965408 10.68.3.231 -> 10.100.64.1: icmp: echo request
20.965491 10.100.64.1 -> 10.68.3.231: icmp: echo reply
21.972809 10.68.3.231 -> 10.100.64.1: icmp: echo request
21.972852 10.100.64.1 -> 10.68.3.231: icmp: echo reply
22.989158 10.68.3.231 -> 10.100.64.1: icmp: echo request
22.989198 10.100.64.1 -> 10.68.3.231: icmp: echo reply
24.001544 10.68.3.231 -> 10.100.64.1: icmp: echo request
24.001592 10.100.64.1 -> 10.68.3.231: icmp: echo reply
25.969234 arp who-has 10.100.64.0 tell 10.100.64.1
25.969289 arp reply 10.100.64.0 is-at 02:23:ff:22:d8:fe

Toshi

209
0 Kudos
velosy
New Contributor II
In response to Toshi_Esumi

Created on ‎06-26-2024 03:53 AM

I can see the ping reply and request on the customer vdom, but still timing out on the client.  x.x.x.9 being the vdom link ip and x.x.x.30 the client source address.

 

diag sniffer packet 11
interfaces=[11]
filters=[none]

7.517933 x.x.x.30 -> x.x.x.9: icmp: echo request
7.518029 x.x.x.9 -> x.x.x.30: icmp: echo reply

113
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to velosy

Created on ‎06-26-2024 08:51 AM

Then routing at the vdom is fine. Now run sniffing at root vdom like below:
   diag snffer packet any 'host x.x.x.9 and icmp' 4
You should see packets passing through ingress and egress interfaces in root vdom. Likely the replis is lost in the root vdom.

Toshi

93
0 Kudos
datorresv
New Contributor II

Created on ‎06-26-2024 11:20 AM

Hello


Enable SSH, SNMP, ping services. It should not be a problem and these should be functional.

 

Verify that routing on both vdoms is correct and validate that access rules are appropriate.

 

If possible, share an image of your current topology diagram to better understand the solution that is operating. Also include source and destination networks.

 

Cheers

Diego.

81
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.