Hello Everyone,
I have strange behavior in my lab,
My lab topology is simple two different networks directly connected to Fortigate(VM), linux and windows machine. a policy to allow any any has been declared for testing. ping not working, no hits on the policy.
linux and windows are able to ping their gateways (FG interfaces).
i tried to reboot FG VM, the ping is succeeded for about 10 seconds after the reboot then failed again, and the policy during these succeeded pings is got some hits for that traffic!!
Any advise ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It seems like a bug.
So we can consider this closed.
Thanks
Most probably not a bug in FortiOS. 99% of all deployed Fortigates would be causing traffic blocks then.
For testing, disable NP offloading on that policy:
conf firewall policy
edit xxx
set auto-asic dis
next
end
What do you see in FortiView?
If you don't see any traffic, then it might be discarded because of RPF - make sure you have valid routes to both networks.
As a last resort, use the sniffer:
di de en
di sniffer packet any 'icmp' 4 0 l
and see if anything is knocking at the door.
Actually nothing knocking the door but after rebooting within 10 seconds i can see traffic passing!
no problem with routing since the two networks are directly connected to FW and the hosts are able to ping FW which it their default gateway.
...and you have disabled ASIC offloading now?
No such option available, diag shows some hits
1.589553 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
2.590318 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
3.590392 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
4.590471 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
5.589958 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
6.592377 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
7.600332 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
8.608595 port1 in 172.16.48.100 -> 192.168.112.100: icmp: echo request
but still no ping !
Ping from fortigate to clients is working as well as from clients to fortigate, so it couldn't be VM network issue. same scenario tested on another VM and it's working!
Assuming the (virtual) machines are directly connected and in their gateway's subnet it shouldn't be a routing issue. Unless you have some special static or policy routes?
Just in case, what does a tracert show?
Could you post the relative security policies (redacted as needed)?
traceroute is giving nothing.
no special static or policy route / as for policy it's only allow any any for testing, nothing special actually.
100% it's not routing issue, because as i told you before after rebooting the FG VM everything works fine till 10 seconds.
Thanks for your help
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.