Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Again use the cmd cli "get router infor routing all" inspect the route table. Sound like the fortigate does NOT know how to reach the host.
Ken
PCNSE
NSE
StrongSwan
The host is directly connected through one of the FGT' switchport, it sound very strange to me that he's unable to reach it. By the way, this is my routing table:
Fortigate # get router info routing all
S* 0.0.0.0/0 [10/0] via x.x.x.x, wan1
C x.x.x.x/29 is directly connected, wan1
C 192.168.168.0/24 is directly connected, internal
Considering the Fgt is on the same 192.168.168.x subnet as the telnet device, there shouldn't be any reason for it to even use a vip/wf "WAN to Internal" policy to connect to it. Maybe you need to check/or set the source interface in PING options.
Edit: Can the fgt even ping any other device on the 192.168.168.x subnet?
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I would one more step
1: validate that the diag ip arp list shows the apr entry for .210
2: rule out any local.host.firewall on the target
3: check the routing on that host ( most likely this is not an area of concern )
Do this
open 2 ssh session to FGT
In window1 cli diag sniffer packet internal "dst host 192.168.168.210 and port 9999"
In window2 execute telnet 192.168.168.210 9999
Do you see a SYN and a SYN/ACK? If yes on the former and no on the latter , you have a issues with the host.
PCNSE
NSE
StrongSwan
maybe i've found something... In the local traffic log it appears that every telnet that i've issued from the Fortigate to the device have the wan IP as source address. I tried telnet from FGT to other devices in the LAN and all of them have the FGT local address as source. What this could indicate?
The outgoing interface is going to be selected in the telent not the vip not the address use on the lan if the traffic is not eggressing that interface. Bob is on the right track with you need to validate the packet reaxch using theping options and setting the source. Again when would the fortigate telnet to the remote device?
btw, I don't think you can select the source_addr on telnet/ssh originating from the fgt
PCNSE
NSE
StrongSwan
Hello,
well, going thru your case, i can see you are unable to telnet to that particular machine.. to end this confusion, kindly do the following:
- execute the following command to test reliability from FGT to your device:
# execute ping-options source "Your FGT LAN IP" [though source option wont be important since your device in same network]
# execute ping "Your device"
if there is reply. do the next step..
- execute the following debug flow commands on FGT:
#diagnose debug reset
#diagnose debug flow show console enable #diagnose debug flow show function-name enable #diagnose debug flow show iprope enable #diagnose debug flow filter dport 9999 #diagnose debug flow trace start 20 #diagnose debug enable
- once above commands entered, try to telnet your device using 9999 from outside and share the outputs..
don't forget to disable and reset debug using below: #diagnose debug disable #diagnose debug reset
NSE4, NSE5 & NSE7
I changed cabling connection: now the device is attached straight to one of the FGT' switchport. I've also changhed ping-options as you suggested but nothing changed: I can telnet to the device from one of the LAN' client but telnet still doesnìt work from FGT.
This is the debug flow output:
Fortigate # diag debug reset
Fortigate # diag debug flow show function-name en
show function name
Fortigate # diag debug flow show iprope en
show trace messages about iprope
Fortigate # diag debug flow filter dport 9999
Fortigate # diag debug flow trace start 1000
Fortigate # diag debug en
Fortigate #
id=20085 trace_id=46 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag, seq 2465178324, ack 0, win 64240"
id=20085 trace_id=46 func=init_ip_session_common line=5390 msg="allocate a new session-00d5abef"
id=20085 trace_id=46 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=46 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=46 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=46 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=46 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=46 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=46 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=46 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=46 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=46 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=46 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=46 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=46 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=46 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=46 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=46 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=46 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=46 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=46 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=47 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag, seq 2465178324, ack 0, win 64240"
id=20085 trace_id=47 func=init_ip_session_common line=5390 msg="allocate a new session-00d5ac17"
id=20085 trace_id=47 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=47 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=47 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=47 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=47 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=47 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=47 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=47 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=47 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=47 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=47 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=47 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=47 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=47 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=47 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=47 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=47 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=47 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=47 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=48 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag, seq 2465178324, ack 0, win 64240"
id=20085 trace_id=48 func=init_ip_session_common line=5390 msg="allocate a new session-00d5ac64"
id=20085 trace_id=48 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=48 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=48 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=48 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=48 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=48 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=48 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=48 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=48 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=48 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=48 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=48 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=48 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=48 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=48 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=48 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=48 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=48 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=48 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
Thanks in advance.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.