Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alex_talmage
New Contributor

Stumbled across a bug? New interface on 800D not responding to ping, dhcp, policy matching

So today I began setting up a new Guest WiFi vlan, and I want an interface on my Fortigate 800D to be the default gateway. This will allow us to restrict traffic to our internal network but allow it out to the internet. Should be simple?!

I've been racking my brains and cannot get this new interface to work.

So its configured as follows:

config system interface

edit "port9"  

set vdom "root"  

set ip 10.0.0.254 255.255.255.0  

set allowaccess ping  

set type physical  

set alias "Guest Wifi"  

set role lan  

set snmp-index 13  

next  

end

 

DHCP is configured:  

edit 4  

set default-gateway 10.0.0.254  

set netmask 255.255.255.0  

set interface "port9"  

config ip-range  

edit 1

 set start-ip 10.0.0.1  

set end-ip 10.0.0.253  

next  

end  

set timezone-option default  

set dns-server1 212.23.6.100  

next  

end

 

And I've created a policy rule to allow the traffic out to the internet. For testing purposes its source interface port9, destination interface wan2, any.

 

Port9 physically connects to a Cisco switch configured as:

switchport mode access

switchport access vlan 6

 

I connect a laptop to another port on the same switch, configured identically. With this config alone I believe I should be able to get a dhcp address in 10.0.0.1-10.0.0.253, ping the fortigate at 10.0.0.254, and browse the internet. I can't do any of those things.

 

diag sniffer packet 'port9' shows the broadcasts, so I believe they are arriving at the fortigate, but I never see any other than the initial broadcast. Same with a ping, I see ICMP arriving but nothing else.

 

I've configured a static ip address on the laptop and tried to ping, no dice.

 

I've got a DMZ network set up similarly to this, and the only difference I can see is under "Local-in Policy" (after enabling in Feature Select), I can see that ICMP and UDP 67 both exist in here against the DMZ network interface, but nothing for my new interface that I've set up. So I am guessing that the fortinet is just dropping the packets. I'll add that these local-in policies have not been added manually via CLI, this is the read only automatically created versions.

 

I'm running 2x FG800D in a A/P cluster, v5.4.2,build1100 (GA). I've set up new interfaces before and not seen this issue. Any ideas?

7 REPLIES 7
localhost
Contributor III

Have you limited the ip ranges from which admin users can connect?

If 10.0.0.0/24 is not in this range, pings will be blocked.

 

Does not explain why you won't get a DHCP lease. Have you tried connecting your laptop directly to the Fortigate:Port9?

Alex_talmage

We do use trusted hosts, but I've entered the subnet into the trusted hosts section anyway.

 

I've just connected laptop directly to port9 and no dhcp lease. Setting a static address I still can't ping.

emnoc
Esteemed Contributor III

FWIW; You don't need policys for the DHCP  nor PING to work.

 

 

Your on a good path but I would enable diag on dhcp-server services for the DHCP issues

 diag debug  application  dhcps -1

 

I would also run diag debug flow on the ping issues 

 

I'm sure both of these will give insight to the problem(s)

 

ken

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Alex_talmage

OK so I've got to the bottom of it, it was indeed a lack of resource to be able to apply the config that I'd made. I ran:

 

diag sys top

hit m to sort by memory

 

process wad was consuming 2GB of memory and overall utilization was at 80%.

 

diag sys kill 11 <pid>

 

This has now dropped to 33% and almost instantly my device got an address.

 

Huzzah!

 

Any ideas why this would have happened?

josh

I think this may be related to bug ID # 443019 that was fixed in 5.6.4. We're seeing this on FortiOS 5.6.0 on a FG-VM though we haven't noticed any tangible impact yet.

 

Bug description: "After running for some time, the FG-30E console keep printing memory leak error messages."

 

I suspect it may not just be related to the 30E... More info about it here: [link]https://forum.fortinet.com/tm.aspx?m=148257[/link]

localhost

I guess pinging the other way around Fortigate to Notebook doesn't work either?

Do the ping packets from the Fortigate go out on the correct interface, do they arrive at the notebook?

 

Is the 10.0.0.0/24 network visible in the routing table (as a 'connected' route)?

Some time ago I had an issue where this route was not added and I had to reconfigure the interface:

 

Reset all interface settings of port9 in the CLI (unset ..) and delete the DHCP server and related policies.

Then reconfigure with the GUI.

Alex_talmage
New Contributor

So diag debug enable, I'm seeing an error that doesn't look too pretty:

 

[__cmdb_bg_fork:670] fork( ) failed: 12(Cannot allocate memory)

[debug]dump HA master db: '/tmp/hasync/hasync.dhcpd/dhcpddb.sn=FG800D3916800609.o0uFal'

 

But I'm not seeing any DHCP requests in the debug. That first error, someone else has reported:

 

https://forum.fortinet.com/tm.aspx?m=148257

 

Could be this giving me grief?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors