Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor

Unable to add lan1 in MGMT Interface Reservation

hi,

i managed to built HA active-passive between two 40F.

i lost HTTPS/ping access to secondary since it sync'd with primary IP in lan1.

i already remove FW policy and static route for lan1 but i'm still unable to add lan1 in HA MGMT interface reservation both in GUI (only 'a' is available, used in HA link) and CLI (code -23).

can anyone advise or point me to the right direction?

 

FW01_PRI # config system ha

FW01_PRI (ha) # set ha-mgmt-status enable

FW01_PRI (ha) # config ha-mgmt-interfaces

FW01_PRI (ha-mgmt-interfaces) # edit 1
new entry '1' added

PRI (1) # set interface lan1
node_check_object fail! for interface lan1


value parse error before 'lan1'
Command fail. Return code -23

 
Thanks,
John
Thanks,John
1 Solution
srajeswaran

Looks like the address object may be referenced in some other config. You can try deleting from CLI using below command.

config firewall address
delete "lan1 address"
end

If this is giving error, please check if this is referenced in some other hierarchy.

show | grep "lan1 address" -f

 

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

9 REPLIES 9
funkylicious
Contributor III

show full system interface lan1 , what does it show ?

also, diagnose sys cmdb refcnt show system.interface.name lan1 ?

geek
geek
johnlloyd_13

hi,

below are output from primary and secondary FW.

 

FW01_PRI # show full system interface lan1
config system interface
edit "lan1"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set management-ip 0.0.0.0 0.0.0.0
set ip 172.20.82.250 255.255.255.0
set allowaccess ping https ssh http
set fail-detect disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set disconnect-threshold 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias "MGMT"
set security-mode none
set ike-saml-server ''
set device-identification enable
set device-user-identification enable
set lldp-reception vdom
set lldp-transmission enable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set vrrp-virtual-mac disable
set role lan
set snmp-index 7
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-mgmt-vlan 4094
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set swc-first-create 0
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set priority 1
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set idle-timeout 0
set disc-retry-timeout 1
set padt-retry-timeout 1
set dns-server-override enable
set dns-server-protocol cleartext
set speed auto
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end

 

-----

 

FW01_SEC # show full system interface lan1
config system interface
edit "lan1"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-interface-select-method auto
set dhcp-relay-service disable
set management-ip 0.0.0.0 0.0.0.0
set ip 172.20.82.250 255.255.255.0
set allowaccess ping https ssh http
set fail-detect disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set reachable-time 30000
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set netflow-sampler disable
set sflow-sampler disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set explicit-web-proxy disable
set explicit-ftp-proxy disable
set proxy-captive-portal disable
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set ingress-shaping-profile ''
set disconnect-threshold 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias "MGMT"
set security-mode none
set ike-saml-server ''
set device-identification enable
set device-user-identification enable
set lldp-reception vdom
set lldp-transmission enable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set measured-upstream-bandwidth 0
set measured-downstream-bandwidth 0
set bandwidth-measure-time 0
set monitor-bandwidth disable
set vrrp-virtual-mac disable
set role lan
set snmp-index 7
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
set ip-managed-by-fortiipam disable
set switch-controller-mgmt-vlan 4094
set switch-controller-igmp-snooping-proxy disable
set switch-controller-igmp-snooping-fast-leave disable
set swc-first-create 0
set eap-supplicant disable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set icmp6-send-redirect enable
set ra-send-mtu enable
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set priority 1
set dhcp-relay-request-all-server disable
set dhcp-client-identifier ''
set dhcp-renew-time 0
set idle-timeout 0
set disc-retry-timeout 1
set padt-retry-timeout 1
set dns-server-override enable
set dns-server-protocol cleartext
set speed auto
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end

 

-----

 

FW01_PRI # diagnose sys cmdb refcnt show system.interface.name lan1
entry used by table firewall.address:name 'lan1 address' (From VDOM: 'root')
entry used by table router.static:seq-num '2' (From VDOM: 'root')

Thanks,
John
Thanks,John
srajeswaran
Staff
Staff

Can you run "show | grep lan1 -f", this will show if lan1 is referenced in any other hierarchy other than "config system interface" and if it is referenced it cannot be configured as dedicated management interface.
Please remove any other reference other than "config system interface" and then try to add it as HA mgmt interface.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

johnlloyd_13

hi,

see below. i was able to remove the static route referencing lan1 since i HTTPS via wan.

i was unable to remove the firewall address. it doesn't allow me to "delete" when i highlight/select the address object.

 

FW01_PRI # show | grep lan1 -f
config system interface
edit "lan1" <---
set vdom "root"
set ip 172.20.82.250 255.255.255.0
set allowaccess ping https ssh http
set type physical
set alias "MGMT"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 7
next
end
config firewall address
edit "lan1 address" <---
set uuid 6f40ea12-b013-51ed-99bc-d2b7e5a1ed0f
set type interface-subnet
set subnet 172.20.82.250 255.255.255.0
set interface "lan1" <---
next
end
config router static
edit 2
set dst 172.20.0.0 255.255.0.0
set device "lan1" <---
next
endfg-object.jpg

Thanks,
John
Thanks,John
funkylicious

If you edit lan1 from GUI you can disable the option Create address object matching subnet for that fw addr.

geek
geek
johnlloyd_13

hi,

i'm unable to disable it. the "create address object matching subnet" toggle is grayed out.

do you think this is the culprit? what's the CLI to remove this address object?

 

fg-object.JPG

Thanks,
John
Thanks,John
funkylicious

You will first have to delete the static route if you havent already done this.

geek
geek
srajeswaran

Looks like the address object may be referenced in some other config. You can try deleting from CLI using below command.

config firewall address
delete "lan1 address"
end

If this is giving error, please check if this is referenced in some other hierarchy.

show | grep "lan1 address" -f

 

 

 

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

johnlloyd_13

hi,

i managed to delete "lan1 address" after i set lan1 role to "undefined". thanks for your help! i need to speed up learning FGT since we're doing a HW refresh on our FW. i think i also need to learn a bit more CLI if i don't fix things via GUI.

 

FW01_PRI # config firewall address

FW01_PRI (address) # delete "lan1 address"

lan1 address can not be deleted because role of lan1 is LAN.

command_cli_delete:6722 delete table entry lan1 address unset oper error ret=-37

Command fail. Return code -37

 

FW01_PRI (address) # delete "lan1 address"

FW01_PRI (address) # end

 

FW01_PRI # config system ha

FW01_PRI (ha) # set ha-mgmt-status enable

FW01_PRI (ha) # config ha-mgmt-interfaces

FW01_PRI (ha-mgmt-interfaces) # edit 1

new entry '1' added

 

FW01_PRI (1) # set interface lan1

FW01_PRI (1) # set gateway 172.20.82.1

FW01_PRI (1) # end

FW01_PRI (ha) # end

FW01_PRI #

 

i also configured the same for secondary with lan1 MGMT IP .251 and i was able to ping/HTTPS immediately. i wasn't able to ping/HTTPS .250 initially and had to clear its ARP on the upstream router. 

i also noticed this when i tried to swap a cisco ASA FW with FGT and then switch back to ASA. had to clear ARP on the WAN/outside. is this always the case for a FGT? or this there a way to quickly age out ARP? i.e. GARP

 

Thanks,
John
Thanks,John
Top Kudoed Authors