Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
markscott_wg
New Contributor

Created on ‎03-16-2018 04:39 AM

Strange VIP /NAT issue

We have a customer which is migrating their internet connectivity to a new speed and provider.   WAN2 has the legacy internet connection and WAN1 has the new internet connection.

 

I am attempting to migrate VIP and rules to the new connection.  Although I have created a new VIP and rule to map RDP to port 52002, it does not work on the new connection, even though it works on the old connection and IP.   I have ensured the new IP is correct and that the internal IPs are also correct.

 

Another server on port 52000 works as expected so I am at a loss to explain this.

2645
0 Kudos
2 REPLIES 2
emnoc
Esteemed Contributor III

Created on ‎03-16-2018 06:30 AM

cli cmd diag debug flow  is your friend, but it sounds like a routing and failures  with uRPF lookup. I bet the old default route is pointed thru WAN1, if the  VIP is attached to WAN2 and you have a RPF lookup failure the   firewall  will drop the packet due to RPFs checks.

 

If you want to confirm, place a /32 host route thru WAN2 to the source of your tester ipv4 address.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1541
0 Kudos
rwpatterson
Valued Contributor III
In response to emnoc

Created on ‎03-16-2018 08:15 AM

The VIP definition asks for an external port. Make sure you change that in the VIP definition. It will only work on one outward facing interface, not both.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
1541
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.