Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: VLAN subinterfaces not communicating
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VLAN subinterfaces not communicating
Howdy, I am currently running an EOL Fotrigate 100A (3.00 559). I am trying to move to a newer Fortigate 60D (5.0 something) no wireless.
I have created several vlan sub-interfaces under the INTERNAL interface. All the vlans are coming from the same switch then to the FGT for routing internally and if appropriate to the Internet. This worked fine on FGT100A not so much on the FGT60D. There are some physical differences between the FGT100A and the FGT60D but it doesn' t seem they are so different that what was done on the FGT100A shouldn' t work on the FGT60D.
Using vlans 101, 102 103, 104 (there are more but I am trying to keep this brief). All vlans are on separate ports on the switch and the FGT unit. When all are connected, only the lowest numbered vlan, 101, can talk to the FGT60D. On vlan 101 I can ping the gateway address on the FGT and I can ping the other gateways on the FGT. None of the other vlans can get a response from the FGT even from thier respective gateway.
If I disconnect vlan 101 then vlan 102 will start working, If 101 and 102 are disconnected then vlan 103 will start communicating.
There is another vlan (150) that is a sub-interface of the DMZ port. the 150 vlan is coming from the same switch as the other vlans under the INTERNAL interface. The 150 vlan talks to the FGT regardless of the connect state of the INTERNAL vlan sub-interfaces. However no traffic passes through from the 150 vlan to any of the INTERNAL vlan sub-interfaces (at least which ever one is working at the time) or vice-versa.
If the vlans are under different physical interfaces they can concurrently communicate to the FGT60D but traffic will not pass from one to the other ( yes, the firewall policies do exist that should allow the traffic to pass).
If the vlans are under the same physical interface, only 1 vlan can communicate to the FGT60D.
This same setup works fine using the EOL FGT100A. What am I missing? What has changed that this setup does work on the FGT60D?
FWIW the switch is an old Dell 5324. Although it is the FGT unit that is being changed out, I understand it may require changes to the switch rather than to the FGT unit.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Qs:
What mode is your 60D ports 1-7 in ( hub/switch/internals ) ?
Copy of the vlan sub-interface cfg ?
what mode of operation are we talking about ( nat or transparent )?
All vlans are on separate ports on the switch and the FGT unit.If your trying to do this as a switched interface, than I would expect problems like what your describing.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What mode is your 60D ports 1-7 in ( hub/switch/internals ) ?not sure - how would I determine what mode it is in? my guess would be it is in whatever the default mode would be. comparing system global setting of the FGT100A to the FGT60D neither shows an explicit mode setting. (the FGT100A does have cc-mode disable)
what mode of operation are we talking about ( nat or transparent )?It should be nat but again how would I know for sure what mode it is in? OK further checking shows it is in NAT mode
Copy of the vlan sub-interface cfg ?config system interface edit " dmz" set vdom " root" set ip 192.168.149.1 255.255.255.0 set allowaccess ping set type physical set snmp-index 4 next edit " internal" set vdom " root" set ip 10.0.0.1 255.255.255.0 set allowaccess ping https ssh http fgfm capwap set type physical set snmp-index 1 set secondary-IP enable config secondaryip edit 1 set ip 192.168.184.98 255.255.255.0 set allowaccess ping https next end next edit " 150 Spinnaker" set vdom " root" set ip 192.168.150.5 255.255.255.0 set allowaccess ping set snmp-index 7 set interface " dmz" set vlanid 150 next edit " 10Dot1" set vdom " root" set ip 10.0.1.1 255.255.255.0 set allowaccess ping https set description " Admin Subnet" set snmp-index 18 set interface " internal" set vlanid 101 next edit " 10DOT2" set vdom " root" set ip 10.0.2.1 255.255.255.0 set allowaccess ping https set description " OPS Subnet" set snmp-index 9 set interface " internal" set vlanid 102 next edit " 103 Wireless" set vdom " root" set ip 10.0.3.1 255.255.255.0 set allowaccess ping https set snmp-index 10 set interface " internal" set vlanid 103 next edit " 10Dot4" set vdom " root" set ip 10.0.4.1 255.255.255.0 set allowaccess ping https set description " 10DOT4 Security Camera Subnet" set snmp-index 11 set interface " internal" set vlanid 104 next edit " 147" set vdom " root" set ip 192.168.147.1 255.255.255.0 set allowaccess ping set snmp-index 12 set interface " internal" set vlanid 147 next edit " 1481" set vdom " root" set ip 192.168.148.17 255.255.255.240 set allowaccess ping set snmp-index 13 set interface " internal" set vlanid 1481 next edit " 1482" set vdom " root" set ip 192.168.148.65 255.255.255.224 set allowaccess ping set snmp-index 14 set interface " internal" set vlanid 1482
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you emnoc,
OK, your suspicions are correct, it is in switched mode.
It is also in NAT mode.
Would the old FGT100a have been in Interface mode by default? I don' t see anyway to change the mode on the FGT100A and when I made the configurations it just worked.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So the 60D is using a " switch" interface ?
You can confirm via;
diag hardware deviceinfo nic switch
I personally would convert the FGT to a non-switch mode; and use one of the 1st ports for the tagged uplink to the HP
e.g
config sys global
set internal-switch-mode internal
end
next, on the HP switch do you have the vlanid set for the vlans ?
vlan 150
tag 1
vlan 101
tag 1
vlan 102
tag 1
vlan 103
tag 1
vlan 104
tag 1
vlan 1
untag 1
vlan 1481
tag 1
vlan 1482
tag 1
Assumption are vlan1 is the native vlan for the physical inetrface and port 1 is where your fortigate uplink interface sits
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should also consider updating " 5.0 something" to at least 5.0.7. If I remember correctly there were also some VLAN (switch) related bugs resolved in 5.0.5.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, it was in switch mode.
I verified through the GUI Network->Network and right clicking on the (at the time) Internal physical interface. A context menu opens and I choose " change mode" with the options being switched or interface mode.
It does mean reconfiguring whatever was on the Internal interface since after changing modes you will have 7 individual Interfaces (Internal1, Internal2, ..., Internal7).
And you will lose ALL Firewall Policies except the default Implicit policy.
So be sure to backup the configuration before making this change (yes, I knew this and had a backup before implementing this change)
I still have some work to do before I can test the changes.
But I now have some hope that I can get to where I need to get to, Thank You.
will check back when I get further down this new path.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, changed from switch mode to interface mode. re-did all FW addressing and FW policies.
I have more tests to do before I can say ALL is good for sure but so far everything is working like I had hoped.
On the FGT100A the most of the vlans were listed under the Internal interface. (the FGT100A has 2 DMZ ports and 2 vlans were listed under DMZ2 it - the FGT60D only has 1 DMZ port so the DMZ2 vlans were moved under Internal interface).
I still need to verify these are going to work as expected but I' m done for today.
The vlans 101, 102, 103 and 104 are working concurrently and communicating to each other. The 150 vlan is also working and now is communicating to the other vlans (vlan 150 is listed under the DMZ port on both FGT units)
The FGT60D is running 5.0.4 ( build 4317?). I have no problem upgrading to 5.0.7 or even 5.2 but I prefer to ask my ISP first about what they prefer to support.
Again Thank You for the help.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
Labels
-
FortiGate
8,169 -
FortiClient
1,643 -
5.2
801 -
FortiManager
687 -
5.4
639 -
FortiAnalyzer
521 -
FortiSwitch
438 -
FortiAP
433 -
6.0
416 -
FortiClient EMS
375 -
5.6
362 -
FortiMail
302 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
185 -
FortiNAC
164 -
IPsec
161 -
6.4
128 -
FortiGuard
127 -
FortiGateCloud
99 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
93 -
FortiToken
86 -
Customer Service
75 -
Wireless Controller
75 -
FortiAuthenticator
75 -
4.0MR3
64 -
Firewall policy
63 -
FortiProxy
54 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
VLAN
44 -
FortiExtender
43 -
High Availability
43 -
FortiDNS
42 -
ZTNA
42 -
FortiSandbox
39 -
DNS
36 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
35 -
BGP
34 -
FortiSwitch v6.4
33 -
SAML
31 -
Interface
31 -
Certificate
31 -
Authentication
28 -
SSO
28 -
NAT
28 -
FortiConnect
27 -
FortiWAN
25 -
FortiConverter
25 -
RADIUS
24 -
VDOM
24 -
FortiLink
24 -
FortiGate v5.2
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
Fortigate Cloud
19 -
Logging
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
17 -
Traffic shaping
17 -
FortiPAM
17 -
FortiDDoS
15 -
SSL SSH inspection
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
Static route
12 -
FortiManager v5.0
11 -
Automation
11 -
System settings
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiManager v4.0
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiDeceptor
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1558 | |
| 1033 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.