Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Gerry
New Contributor

Created on ‎05-22-2014 06:44 AM

VIP Issue

Hi (edit: 4.0 MR3 on a 200b) I' m setting up a VIP for an internal server to allow it server http traffic. We already have another server doing the same and it' s working fine. I cannot get the new server to work. I' ve created the same rules, placed them side by side in order beside the working rule but it will not work. Once the policy rule for the WAN - WebServer is enabled it even breaks outgoing traffic for the webserver. If I disable the WAN - WebServer policy the outgoing traffic works again. I can get no WAN - WebServer traffic working. We have a range of 4 public IPs so the one I' m using for the WebServer is dedicated. I did a show for the config and the rules for the new Webserver and the existing working Webserver are the same (minus the slight IP address differences) Any ideas where I can look? Some of the config is below: 
 config firewall vip
     edit " WorkingServer" 
         set extip ##.###.##.#2
         set extintf " port12" 
         set mappedip ###.##.##.100
     next
     edit " NewServer" 
         set extip ##.###.##.#3
         set extintf " port12" 
         set mappedip ###.##.##.160
     next
 end
 
 
 config firewall policy
 edit ##
     set srcintf " WAN" 
     set dstintf " LAN" 
         set srcaddr " all"              
 		set dstaddr " WorkingServer"              
     set action accept
     set schedule " always" 
         set service " HTTP"  " HTTPS"             
     set logtraffic enable
 next
 edit ##
     set srcintf " WAN" 
     set dstintf " LAN" 
         set srcaddr " all"              
         set dstaddr " NewServer"              
     set action accept
     set schedule " always" 
         set service " HTTP"  " HTTPS"             
     set logtraffic enable
 next
Many thanks gR
5540
0 Kudos
15 REPLIES 15
ede_pfau
SuperUser
SuperUser

Created on ‎05-22-2014 07:28 AM

So, following your argumentation, it is the external IP address that makes the difference between working and not working. Could you please post the external address, with the first 3 bytes obscured, plus the netmask? What is the public IP address of the FGT' s WAN port? What kind of admin access do you have enabled on the WAN port - HTTP, HTTPS, ssh,...?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2727
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎05-22-2014 07:57 AM

Does the " newserver" IP address coincide with the address that all the users are browsing with? Never mind that question.. cross post. Perhaps you will need to employ an IP Pool on that server' s outgoing traffic policy so that the VIP address on the incoming traffic matches the outgoing traffic IP address... By the way, 
 config firewall vip 
      edit " WorkingServer"  
          set extip ##.###.##.#2
          set extintf " port12"  
          set mappedip ###.##.##.100 
      next 
      edit " NewServer"  
          set extip ##.###.##.#3
          set extintf " port12"  
          set mappedip ###.##.##.160 
      next 
  end
Those ending digits don' t match:
 Working Webserver IP - ##.###.###.91/29
 New Webserver IP - ##.###.###.92/29

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2727
0 Kudos
Gerry
New Contributor

Created on ‎05-22-2014 07:55 AM

Hi Ede, thanks for the reply. -The WAN to Webserver never works to the new server. -For some strange reason when the new WAN to Webserver Firewall Policy is enabled it breaks the Webserver to WAN traffic, if I disable that rule the Webserver to WAN traffic works again -The Webserver to WAN traffic falls under an existing LAN to WAN rule although I have also tried creating a specific Webserver to WAN rule but it makes no difference. WAN Settings - ##.###.###.88/29 Fortigate WAN IP - ##.###.###.90/29 Working Webserver IP - ##.###.###.91/29 New Webserver IP - ##.###.###.93/29 HTTPS and SSH admin access on the WAN Edit - Updated NewServer WAN IP to correct value Thanks Gerry
2727
0 Kudos
Andre_Backs
New Contributor
In response to Gerry

Created on ‎05-24-2014 06:13 AM

Hi Gerry, I could be mistaking but I think your WAN Settings put that addres on the subnet boundary i.e. the subnet address. Have you tried to put it on x.x.x.89 / 29 ? to see what it does ?

ABB@ProBiblio Fortigate 200D (slave master)

ABB@ProBiblio Fortigate 200D (slave master)
2727
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎05-22-2014 08:16 AM

Close reading, Bob! BTW: if a VIP is in place reply traffic from the internal host will automatically be source NATted to the external address. And even traffic originating from the internal server will be source NATted to it' s external address due to the VIP mapping. A VIP is much more than e.g. an IP pool. From the address settings, no clue. Double check the address masks in the interface settings. I am assuming you can ping the internal server from the FGT' s CLI (when VIP not defined). It all that won' t help we' ll have to dig a bit deeper (in the CLI):
 diag deb ena
 diag sniffer packet any ' icmp and host x.x.x.160'  4 0 a
 diag sniffer packet any ' icmp and host y.y.y.92'  4 0 a
(just learned about the ' a' option - current absolute time stamp). Then of course, ping the external WAN IP.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2727
0 Kudos
rwpatterson
Valued Contributor III
In response to ede_pfau

Created on ‎05-22-2014 08:25 AM

ORIGINAL: ede_pfau BTW: if a VIP is in place reply traffic from the internal host will automatically be source NATted to the external address. And even traffic originating from the internal server will be source NATted to it' s external address due to the VIP mapping. A VIP is much more than e.g. an IP pool.
I thought so as well, but I figured overkill couldn' t hurt. At least for a test...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2727
0 Kudos
Gerry
New Contributor

Created on ‎05-22-2014 08:42 AM

Hi I can ping the Newserver' s internal, external and FQDN from a Fortigate SSH session and it replies. When I enable the logging and tried pinging the Newserver WAN IP from an external source nothing was logged. Just for some historic info, we had a different server and service open to the internet in the past using this WAN IP. That was months ago though and all related entries for that were removed. Thanks for the help, not sure where to go from here! gR
2727
0 Kudos
rwpatterson
Valued Contributor III
In response to Gerry

Created on ‎05-22-2014 10:03 AM

Are you sure that your ISP is still pointing that traffic your way? I know you' re paying for it, but I would contact them to verify.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2727
0 Kudos
Gerry
New Contributor

Created on ‎05-22-2014 10:09 AM

Fairly sure, a long time ago when I was setting up a VIP I was trying to use ##.###.###.92 and I could not for the life of me get it working, had the same issues I' m having now. That time I contacted the ISP and they ran their tests and told me it was all set up fine their end and when I set a laptop with that IP and connected direct to the line it worked. For some reason that time I tried the next number ##.###.###.93 and it just worked. This is the number I' m trying to use now, we decommissioned the previous server mentioned above some time ago. Thanks for the suggestion gR PS- I' ve opened a case with Fortinet so will see what they come back with.
2727
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.