Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sanderl
New Contributor III

Unreliable traffic between segments

I start a new topic while this problem is still not resolved and since the other topic about this same issue is not accurate anymore. This topic starts with a clear description of the issue including an overview of the situation.

 

This is the old topic (for reference please do not refer anymore to it to avoid confusion).

 

The network schematic:

fortiproblem2.jpg

 

the issue:

If connected wireless to ssid "test99" all is fine. No issues and superfast.

 

If connected to "ssid" clients experience weird issues.

2 examples:

1. Roblox games do not (never) load, and give an error message.

2. Downloading apps/update from google play store is terribly slow ... 1%,2%,3%...

 

I deliberately do not (yet include) and config/capture (see also previous topic).

 

extra information:

I never had any of these issue, for over ~7 years. It started after upgrading to 7.0.11. And if you read the old topic, 2 things constantly cross: software switch vs hardware switch, that issue is now gone. All is connected to 1 hardware switch and VLANs with bridged ssids.

The netgear is configured to tag VLANs on the uplink and to the FAP. furthermore there are no (known) issues in the network other than this...

 

Please help out in finding if this could be a configuration issue or bug. Thank you!

36 REPLIES 36
sanderl
New Contributor III

There are only 2 devices at a time starting roblox. And again, remember it was not only roblox with issues. See above post.

 

I find it VERY strange a dos policy which is setup to INTERNAL facing traffic "responding" on one vlan and not the other... and no problem on 7.0.10... weird isn't it?

gfleming

I suggest you read all about DoS Policies to try and understand for yourself why it might be hitting on VLAN 10 and not VLAN 99. There are timers, thresholds, etc all involved. As I already stipulated above, it could be that moving a device to VLAN 99 allowed it to work momentarily before the DoS policy got hit.

Cheers,
Graham
sanderl
New Contributor III

Those DoS policies are in for a long time. Why would they trigger on sessions setup from inside out? I can't find or read in your link, other than "traffic arriving" that return traffic is policed by a DoS policy.

 

It also never triggered up untill 7.0.10.

 

What changed in bug ID 807629?

gfleming

It says right on the first paragraph of that linked doc: "DoS policies are checked before security policies". DoS policies are checking all traffic regardless of FW state or traffic origination. 

 

That bug ID is not applicable to you. 

 

At this point, I've spent hours helping you out. We've identified your issue. You have options now to either disable or tweak the highly restrictive DOS policy (threshold 1 with US Geo blocking) or revert back to 7.0.10.

 

I have asked you also for logs and other info but you haven't shown those to me. So there's not much else in my opinion I can offer you at this point. 

Cheers,
Graham
sanderl
New Contributor III

At the moment of testing the are NO devices connected to Roblox... Only 1, connected to 10 or 99.

And once again, Roblox is not the only issue...

 

2 things clearly standout:

1. It did not throw any errors in <7.0.10

2. The DoS policy are only configure INbound. IMHO has nothing to do with outgoing or otherwise policed sessions.

 

Bottomline, the "strict" GEO DoS policy with a theshold of "1" worked very well to limit all traffic INbound from those GEO's. After all the same GEO list is used on INbound policies to BLOCK that same traffic (coming from US and etc.)

 

Thus, I am still surprised in 7.0.11 it now suddenly looks like my DoS policy now suddenly also blocks RETURN traffic.

 

Remember: I BLOCK all that traffic coming from that GEOs (including US) INBOUND. That has nothing to do with OUTBOUND sessions, both policy wise as DoS wise...

 

ʅ₍ッ₎ʃ

gfleming

2 things clearly standout to me:

1. You have no support on this FortiGate and you are continuously pushing the boundaries of what is expected from a community-based forum for assistance with little to no appreciation for the work and time people are spending to help you

2. You refuse to provide useful information that we ask for and continue to complain about things that you have already brought up. So again, without logs and other info requested we can't really do much more to help you.

 

Bottomline, you still don't understand how DoS policies work despite multiple attempts to get this through to you: DoS Policies are applied before security policies. Therefore if you are initiating a connection to a server on the internet, that server's return traffic will be hit by the DoS policy. It has nothing to do with who initiates what side of the connection.

 

Remember: I already pointed out to you that you do not in fact block all traffic coming from those GEOs including US. You are only blocking inbound traffic from those GEOs to a single VIP.

 

ʅ₍ッ₎ʃ

Cheers,
Graham
sanderl
New Contributor III

Graham, thank you very much for your input and support.

 

Very much appreciated!

 

(I am shocked to read about point 1 and 2, very sorry you have that impression).

 

Have a nice day.

 

gfleming
Staff
Staff

Does Roblox fail on every device that you try it on when connected to "ssid"?

 

Also just for fun can you swap the VLAN assignment for the SSIDs? Does "ssid" still not work?

Cheers,
Graham
sanderl
New Contributor III

Yes all devices fail with roblox (2x phone, 2x tablet) on ssid. Not on test99.

Not sure what you mean with swap. Just change vlan numbers per ssid? So 10 to test99 an 99 to ssid?

gfleming

Yes exactly. If "ssid" is still broken on VLAN 99 then it's probably something related to the wifi. If it's working on VLAN 99 then it's probably something related to switching/wired stuff.

Cheers,
Graham
Top Kudoed Authors