This is a new implementation. We have a fiber 10G handoff rate limited to 1G which we have connected to a 10G port on a cisco switch which is then connected to the fortinet device. The attached image will give you a better idea of the setup and IP addressing. I have a default route set up as 0.0.0.0 0.0.0.0 50.232.x.129 with a GW of 50.206.x.54. My policies are from the inside out to allow all except p2p traffic.
Any advice would be greatly appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
kvoegele wrote:I have a default route set up as 0.0.0.0 0.0.0.0 50.232.x.129 with a GW of 50.206.x.54.
I'm not completely understanding the above, but if the switch is a routing device, you should have 0.0.0.0 0.0.0.0 50.232.x.129 (next hop), otherwise it should be 0.0.0.0 0.0.0.0 50.206.x.54.
I should try with the .129 and perform traceroute to verify the path. Please also keep in mind to configure your policies correctly (internal -> wan with NAT)
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
Sorry, yes the switch is routing and I have .129 as my next hop in default route on the fortinet. I know I can ping the GW .129 from the fortinet however I am unable to get to the next subnet GW at 50.206.x.54.
Here are some logs and tables I have collected:
MPP-FW-DC # get router info routing-table details 9 Routing entry for 50.232.x.128/28 Known via "connected", distance 0, metric 0, best * is directly connected, port10
MPP-FW-DC # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - P O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA exter2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia * - candidate default
S* 0.0.0.0/0 [10/0] via 50.232.x.129, port10 C 50.232.x.128/28 is directly connected, port10 C 172.x.x.0/19 is directly connected, port9
MPP-FW-DC # get sys arp Address Age(min) Hardware Addr Interface
MPP-FW-DC # diagnose sniffer packet port10 interfaces=[port10] filters=[none] 2.848755 stp 802.1d, config, flags [none], bridge-id 8001.d1 4.853459 stp 802.1d, config, flags [none], bridge-id 8001.d1 6.862392 stp 802.1d, config, flags [none], bridge-id 8001.d1 8.863121 stp 802.1d, config, flags [none], bridge-id 8001.d1 9.684686 loopback 10.867816 stp 802.1d, config, flags [none], bridge-id 8001.1 12.872611 stp 802.1d, config, flags [none], bridge-id 8001.1 14.877301 stp 802.1d, config, flags [none], bridge-id 8001.1 16.885904 stp 802.1d, config, flags [none], bridge-id 8001.1 17.681396 83.110.81.163 -> 50.232.x.139: icmp: 83.110.81.1e 18.886895 stp 802.1d, config, flags [none], bridge-id 8001.1 19.678918 llc unnumbered, ui, flags [command], length 46 19.679043 llc unnumbered, ui, flags [command], length 76 19.696273 loopback 20.891646 stp 802.1d, config, flags [none], bridge-id 8001.1 22.896417 stp 802.1d, config, flags [none], bridge-id 8001.1 24.904969 stp 802.1d, config, flags [none], bridge-id 8001.1 26.906041 stp 802.1d, config, flags [none], bridge-id 8001.1 28.910783 stp 802.1d, config, flags [none], bridge-id 8001.1 29.694664 loopback 30.915481 stp 802.1d, config, flags [none], bridge-id 8001.1 32.920250 stp 802.1d, config, flags [none], bridge-id 8001.1 33.251406 167.114.173.202.37199 -> 50.232.x.134.53: udp 45 34.840032 213.33.228.98.80 -> 50.232.x.130.30904: rst 0 ac 34.929958 stp 802.1d, config, flags [none], bridge-id 8001.1 36.929795 stp 802.1d, config, flags [none], bridge-id 8001.1 37.523326 112.197.3.81 -> 50.232.x.137: icmp: time exceedet 38.934537 stp 802.1d, config, flags [none], bridge-id 8001.1 39.700225 loopback 40.939351 stp 802.1d, config, flags [none], bridge-id 8001.1 42.943739 stp 802.1d, config, flags [none], bridge-id 8001.1 44.952997 stp 802.1d, config, flags [none], bridge-id 8001.1 46.953263 stp 802.1d, config, flags [none], bridge-id 8001.1 ò 33 packets received by filter 0 packets dropped by kernel
Seems ok at the moment..
Have you run a diag sniff with filter 'icmp' while pinging the wan interface of the switch? you should see those pass from internal to external at least.. If you don't see the ping request exiting, you could use diag debug flow to investigate further to check if routing and policy are correct.
Do you have access to the switch configuration to verify it's configuration?
Johan Witters
Network & Security Engineer
FCNSP V4/V5
BKM NV
All good tips and I would add to check for the ARP entry?. if you haven't resolved the l3 arp mapping of the gateway, than you will not ping .
Also can you bypass the switch as temporal to check your cabling and ports?
PCNSE
NSE
StrongSwan
Thanks for the help guys!!
There was nothing in the ARP table which is obviously an issue. We ended up resetting back to the factory defaults and it worked. Appears to have been a bad config file.
Thanks again!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.