Hello,
I've come across fgt100d HA
installation where internal Ip doesn't show in traceroute
What I get.
>tracert -d 8.8.8.8 1 1 ms 2 ms 1 ms 2.2.2.2 2 4 ms 3 ms 3 ms 1.1.1.1
... ^C
What I would like to get
>tracert -d 8.8.8.8 1 1 ms 1 ms 1 ms 192.168.100.1 2 1 ms 2 ms 1 ms 2.2.2.2 3 4 ms 3 ms 3 ms 1.1.1.1 ^C
Setup is quite basic.
there are several Lan interfaces combined under one zone. Policy is
LANzone > wan all traffic is permitted
192.168.100.1 responds to icmp
I'm suspecting fortigate doesn't decrease TTL or it's somehow connected that traffic is processed using NP... Any ideas what could be switched on/off ;) ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Sorry to bump an old thread, but +1 to supafin syntoms.
Using Windows server, if I trace for the first time, it shows my FG 240D. If I run it just after the first, it does not show the FG and shows the ISP gateway twice, in place of the FG itself.
I'm attaching a photo. 10.254.254.4 is my fortigate and the IP with the end 241.241 is the ISP's router.
Any hints?
Luiz
Yes I still have same issue. But I have learned to live with it, so to say.
First trace is correct, then fortigate stops to respond and after while (could be 30 minutes - some day) it respond again.
This is easy to see since I run pingplotter monitoring thru fortigate unit and it records route change whenever fortigate responds to icmp or not. It's hop will be replaced by next router, as you saw also.
I think it still relates that fortigate offloads traffic to asic and that's why it doesn't respond. But I'm not sure why it starts to respond after awhile again.
There is no asic offload disable possibility under firewall policy in our unit (100D) for some reason.
We have also 600D unit and in that there is possibility to disable offloading.
I might open support case to fortinet at some point but this hasn't been major issue for me so I haven't done that yet.
Same thing here.
The point is that I only saw this behaviour now, because we are in a very critical moment righ now, with many network problems. So I though that it could be possible the problem we have.
Can you say if this harm the connectivity or not?
No problem with actual connectivity. It just cosmetic thing in our network monitoring screens ;)
Thanks for your feedback. :)
And if you change those admin ports under system->settings to whatever you want, you don't have to deal with VIPs at all.
Please disregards. a wrong thread.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1632 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.