Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)
Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
rwpatterson wrote:Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)
Yes, the Fortigate is connected to a switch, all the devices (including my pc and badge reader) are connecter on the same switch in a single subnet.
rwpatterson wrote:No, i don't have any IP pool configured.Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.
I didn't had any problem in the past to let external devices access some resources on my local LAN.
I still don't explain why my PC can telnet to the device and the Fortigate cannot.
If you trace route from the Fortigate, what do you get?
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
This is the traceroute output:
Fortigate # exec traceroute 192.168.168.32 traceroute to 192.168.168.32 (192.168.168.32), 32 hops max, 3 probe packets per hop, 72 byte packets 1 192.168.168.32 3.464 ms 1.340 ms 0.826 ms Fortigate # exec traceroute 192.168.168.210 traceroute to 192.168.168.130 (192.168.168.130), 32 hops max, 3 probe packets per hop, 72 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * *
.32 is my laptop
.210 is the badge reader
.1 is the Fortigate
Is the subnet mask 255.255.255.0 on both sides? You said it was working before. Did you change FW to FGT from something else? Or any other change happened since then? Sounds like the device doesn't see the FGT in the same subnet. Perhaps something got changed in the device config unless something is funky on the switch port.
I would sniff packets with a laptop hooked up to a mirror port on the switch to see if the device port is getting packets from FGT and if responding. At least you should be able to narrow down which part is the problem; FGT, Switch, or the device.
Have you set the PING options in the FGT?
Gateway # exec ping-options
data-size integer value to specify datagram size in bytes
df-bit set DF bit in IP header <yes | no>
interval integer value to specify seconds between two pings
pattern hex format of pattern, e.g. 00ffaabb
repeat-count integer value to specify how many times to repeat ping
source auto | <source interface ip>
timeout integer value to specify timeout in seconds
tos IP type-of-service option
ttl integer value to specify time-to-live
validate-reply validate reply data <yes | no>
view-settings view the current settings for ping option
Gateway #
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
toshiesumi wrote:Is the subnet mask 255.255.255.0 on both sides? You said it was working before. Did you change FW to FGT from something else? Or any other change happened since then? Sounds like the device doesn't see the FGT in the same subnet. Perhaps something got changed in the device config unless something is funky on the switch port.
well, i honestly didn't said that :) I said that telnet is working from Fortigate to my PC, but it doesn't work from Fortigate to the device. The subnet mask is the same on every device in the network.
toshiesumi wrote:I can try, but the thing that I still don't explain is why Fortigate is able to do telnet to several machines except this damn device!I would sniff packets with a laptop hooked up to a mirror port on the switch to see if the device port is getting packets from FGT and if responding. At least you should be able to narrow down which part is the problem; FGT, Switch, or the device.
rwpatterson wrote:Nope, I didn't configure those settingsHave you set the PING options in the FGT?
Gateway # exec ping-options
data-size integer value to specify datagram size in bytes
df-bit set DF bit in IP header <yes | no>
interval integer value to specify seconds between two pings
pattern hex format of pattern, e.g. 00ffaabb
repeat-count integer value to specify how many times to repeat ping
source auto | <source interface ip>
timeout integer value to specify timeout in seconds
tos IP type-of-service option
ttl integer value to specify time-to-live
validate-reply validate reply data <yes | no>
view-settings view the current settings for ping option
Gateway #
The only thing that makes sense to me is that the switch' port where device is attached is broken or something.
EDIT: i tried to change the switch' port where device is attached but I have the same exact results: nor ping/telnet are working from Fortigate.
Why do you need to telnet to this device from the Fortigate?
simonw wrote:Telnet/9999 it's the way that this device use to communicate to its server. I need to expose the 9999 port on our WAN to let the server communicate with the client. Since the telnet from internet isn't working (i'm pretty sure that the configuration is correct), i've ended up in trying telnet straight from the Fortigate.Why do you need to telnet to this device from the Fortigate?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.