Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Aigarz
New Contributor

Traceroute via FGT unit doesn't show as a hop

Hello,

 

I've come across fgt100d HA

 installation where internal Ip doesn't show in traceroute

What I get.

>tracert -d 8.8.8.8   1     1 ms     2 ms     1 ms  2.2.2.2   2     4 ms     3 ms     3 ms  1.1.1.1

... ^C

 

What I would like to get

>tracert -d 8.8.8.8   1     1 ms     1 ms     1 ms  192.168.100.1   2     1 ms     2 ms     1 ms  2.2.2.2   3     4 ms     3 ms     3 ms  1.1.1.1 ^C

 

Setup is quite basic.

there are several Lan interfaces combined under one zone. Policy is

LANzone > wan all traffic is permitted

192.168.100.1 responds to icmp

 

 

I'm suspecting fortigate doesn't decrease TTL or it's somehow connected that traffic is processed using NP...  Any ideas what could be switched on/off ;) ?

16 REPLIES 16
TIBarigui
New Contributor II

Sorry to bump an old thread, but +1 to supafin syntoms.

 

Using Windows server, if I trace for the first time, it shows my FG 240D. If I run it just after the first, it does not show the FG and shows the ISP gateway twice, in place of the FG itself.

 

I'm attaching a photo. 10.254.254.4 is my fortigate and the IP with the end 241.241 is the ISP's router.

 

Any hints?

 

Luiz

supafin

Yes I still have same issue. But I have learned to live with it, so to say.

First trace is correct, then fortigate stops to respond and after while (could be 30 minutes - some day) it respond again.

This is easy to see since I run pingplotter monitoring thru fortigate unit and it records route change whenever fortigate responds to icmp or not. It's hop will be replaced by next router, as you saw also.

I think it still relates that fortigate offloads traffic to asic and that's why it doesn't respond. But I'm not sure why it starts to respond after awhile again.

 

There is no asic offload disable possibility under firewall policy in our unit (100D) for some reason.

We have also 600D unit and in that there is possibility to disable offloading.

 

I might open support case to fortinet at some point but this hasn't been major issue for me so I haven't done that yet.

TIBarigui
New Contributor II

Same thing here.

 

The point is that I only saw this behaviour now, because we are in a very critical moment righ now, with many network problems. So I though that it could be possible the problem we have.

 

Can you say if this harm the connectivity or not?

supafin

No problem with actual connectivity. It just cosmetic thing in our network monitoring screens ;)

 

TIBarigui
New Contributor II

Thanks for your feedback. :)

Toshi_Esumi

And if you change those admin ports under system->settings to whatever you want, you don't have to deal with VIPs at all.

Toshi_Esumi

Please disregards. a wrong thread.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors