Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hamody
New Contributor

VLAN to VLAN issue

dear all 

 

1. I have 2 firewalls 300E with HA active and passive mode .

2. I have VLANS configured on 2 separated redundant ports in the firewall .

3. the VLANS communicates with each other by firewall policies.

4. my network is working on layer 2 and the gateway for all the VLANS is the firewall for the network.

5. my problem is I have fingerprint device on VLAN and fingerprint server on other VLAN communicate with each other by the firewall when I connect the fingerprint on the server after 1 hour the synchronization stopes between the device and the server and no update appear for me for any check in or check out  in the server and I must disconnect and re connect the fingerprint from the server to see the new check in or check out and after 1 hour of reconnecting the problem happening again .

6. I have application on local server on VLAN and the client that working on this application on other VLAN after 2 hours of communicating the client with the server the application from client side is freezing and I must restart the application to restore it to normal mode and after 2 hours the problem is happening again .

 

note:- for all the cases above when the problem happening the network connectivity is working normally with ping 1ms between the client side and the server side. 

 

has anyone have the same problem before ?

 

thanks 

5 REPLIES 5
pgautam
Staff
Staff

Hi Hamody,

 

Thank you for updating your query.

 

Could you please try to reduce the MSS value in the LAN to LAN policy?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

 

Regards,

Priyanka 

 

 

gfleming
Staff
Staff

Sounds like a session timeout issue. It is possible the fingerprint server (or client) it not maintaining traffic and the session is being torn down.

 

Firewall sessions expire after 1 hour.

 

Can you do a packet capture of the traffic?

Cheers,
Graham
IT_Ahan2
New Contributor III

can u share me ..Packet capture details 

npariyar
Staff
Staff

Sounds like a session timeout issue.
Try changing the session TTL of the firewall policy you have configured to allow traffic between two VLANs
config firewall policy
edit 1
set name "test"
set uuid 2586cfe6-8777-51ed-7baa-a6ac55525c14
set srcintf "vlan10"
set dstintf "vlan20"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set session-ttl 86400
set nat enable
next
end

Niroj Pariyar
Hamody
New Contributor

dear all ,

 

thank you for your help .

 

the problem was from the TTL session expiring after 1 hour (its default) and I changed it from the CLI and now working normally .

 

regards 

Labels
Top Kudoed Authors