Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: VIP doesn't work with my Second ISP WAN Link
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VIP doesn't work with my Second ISP WAN Link
Hello everybody,
I have been struggling to get this done for about three days with no result,
i have Fortigate 501E, Firmware v5.6.0.
i have 2 ISP connections each one with different public IP ranges, ISP A with public subnet X.X.X.X/X is connected directly from fortigate port 1 to the ISP MPLS, the fortigate interface port 1 configuration is straight through, physical interface with static IP address X.X.X.2/X and its role is WAN. for this interface everything is working fine and virtual IPs from the same subnet (X.X.X.X/X) are reachable via this interface.
my second WAN link Y.Y.Y.Y/Y is somehow complicated, FortiGate is connected to an Outside Switch, the fortigate interface port 8 which is connected to the outside switch has two VLAN interfaces configured under port 8, the physical port doesn't have any configuration nor IP Address, the two vlan interfaces configuration is listed bellow:
edit "Main Link"
set vdom "root"
set ip 10.100.100.2 255.255.255.248
set allowaccess ping
set role wan
set snmp-index 29
set interface "port8"
set vlanid 1000
next
edit "Backup Link"
set vdom "root"
set ip 10.100.200.2 255.255.255.248
set allowaccess ping
set role wan
set snmp-index 30
set interface "port8"
set vlanid 1001
next
the Outside switch interface (connected to FortiGate) is configured as trunk with both vlan 1000,1001 allowed.
Also the switch has two interfaces each is connected to a different MPLS ( both MPLSs are owned by the same ISP) one interface is access vlan 1000 with the opposite interface on the MPLS has an IP Address of 10.100.100.1, and the other interface is access vlan 1001 with MPLS interface 10.100.200.1. those links are for the same IP Range and the same WAN Link ( active/ standby) with SLA configured from ISP side on both of the links and a link monitor from fortigate side.
im planning to use the second link Y.Y.Y.Y/Y to publish a number of web servers.
i created a virtual IP with configuration as bellow
config firewall vip
edit "Mahmoud-TEST"
set id 0
set uuid 34e526f8-77ff-51e9-4207-cda8d9aafcdf
set comment ''
set type static-nat
set extip Y.Y.Y.187
set extintf "Main Link"
set arp-reply enable
set nat-source-vip disable
set portforward disable
set gratuitous-arp-interval 0
set color 0
set mappedip "172.16.16.69"
next
the server is reachable from the FG , and can reach the FG, the WAN link works fine as i tried to browse the internet from the server using the link ( created a policy and NATed with dynamic pool from the same public subnet Y.Y.Y.Y/Y ) and everything works fine.
i also created a policy to access the server from the wan ( later i allowed All sources with All services ) but still can't reach it, i did a sniffing on the Main Link interface and find out that the packets arrives The fortigate interface but it didn't route any of them, also the PING doesn't show on the traffic log.
i tried to publish the server using the First link X.X.X.X/X and everything works fine.
Please Advise.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Technically you have three wan links to choose from to go outside (internet, I'm assuming). What kind of default route(s) do you have in the FGT? If the outside sources are on the internet you need to have a default route toward the interface to send returning packets back to the source. If don't, and if you run "debug flow", you would the common error [size="2"]"iprope_in_check() check failed, drop"[/size] as described in below because the returning route is pointing to another interface, which would cause asymmetric routing.
https://kb.fortinet.com/kb/viewContent.do?externalId=FD31702
You need to choose from either complete equal distance (load share) or equal distance but different priorities to set all default routes.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, my default route will point to the first link (x.x.x.x) which is 0.0.0.0/0 => X.X.X.1/X.
After running debug flow, i found that the error was "reverse path check failed, drop". after alot of digging and reading KB articles i found out that Fortigate only checks for the reverse path in the directly connected networks, static routes and dynamic routes (BGP,OSPF, etc.). and in my case the reverse path for the packets are known via policy route. so from the Reverse path check point of view, this will cause asymmetric routing which is disabled by default.
My question now is, is it fine from a security point of view to enable asymmetric routing ? because i just read that it has smth to do with IP spoofing and other security consedrations ?
A note here, im not using asymmetric routing, because the policy route i added will make sure that the packets will leave from the same interface it arrived from.
and how can the packets bypass the path check if the reverse path is known via a policy route, not a static route ?
Thanks again,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could eanble asym routing by "set asymroute enable" if you want to use your FGT as just a router. You would lose most of firewall features. I don't recommend it. You need to question yourself "Why did I get a firewall instead of a router???"
As in the last part of my comment above, instead you just need to have multiple default routes, in your case, with different priorities. That's all you need. Below is my home FG50E static default routes, the main one to a vlan from my ISP (C-Link) and another for a 4G Modem/router, which I use as a backup.
config router static
edit 8 set device "ClinkVl201" set dynamic-gateway enable <-- because pppoe next edit 9 set priority 10 <--- by default the priority is 0 (highest), so set this higher than C-link set device "wan2" set dynamic-gateway enable <-- because DHCP next end
As the result, both show up in routing table "get router info routing-t all":
S* 0.0.0.0/0 [10/0] via 63.231.10.69, ppp1 [10/0] via 100.107.137.57, wan2, [10/0] So the key is the last "10/0". "10" is the priority I set above. So all traffic/session initiated inside of this 50E always use "ppp1" interface toward C-link, of which default route has priority 0. But if any traffic from ouside comes to 100.107.137.57, like pinging from outide, the returning traffic, like ping reply, goes out of wan2 because the route is in the table. If I set VPN or VIP on wan2, it should work in the same way without making asym routing.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well,
I created a second static route as follows
config router static edit 15 set status enable set dst 0.0.0.0 0.0.0.0 set gateway 10.100.100.1 set distance 20 set weight 0 set priority 0 set device "Main Link" set comment '' set blackhole disable set dynamic-gateway disable set virtual-wan-link disable set dstaddr '' unset internet-service set internet-service-custom '' set link-monitor-exempt disable next end
but, it doesn't show in the routing table as yours does,
get router info routing-table all
S* 0.0.0.0/0 [10/0] via X.X.X.1, port1
there is no second entry as your case
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Look at my config and compare it with yours. I never set "distance" but "priority". The priority is the one to make the secondary, tertiary route show up as well as the primary because the distance for those routes are the same.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you really saved my day now with the three default routes with different priorities and same distance , everything works fine and i can sleep well
Thank you sir.
But im little bit disappointed because reverse path check never looks in the policy routes to determine the reverse path,,,
But my issue now has been resolved
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To make a policy route work, there needs to be a proper route for the traffic through the interface. You never had route before through that interface that's why it failed. It's by design, not a problem.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I probably misstated. Once a session has been established, I believe it would try sending returning packets back to the interface the original packet came in regardless what kind of policy route has been set. But there was no route then it dropped before a session is established. Simply needed a route to send returning packets to.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,746 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
321 -
6.2
251 -
SSL-VPN
249 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
207 -
5.0
196 -
FortiNAC
191 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
106 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
Fortivoice
54 -
FortiADC
54 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
FortiSoar
15 -
OSPF
15 -
System settings
15 -
FortiGate v5.0
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.