Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
neonbit
Valued Contributor

Created on ‎06-07-2017 04:00 AM

VLAN traffic is getting routed out of wrong interface

I've been testing a WLC config in my lab and ran into a strange issue regarding VLANs. I have eth1 configured with 10.1.1.1/24 and created VLAN100 on eth2 (VLAN id:100 IP: 10.0.1.1/24 GW: 10.0.1.254).

 

The problem is that I can't ping VLAN100's GW (10.0.1.254) from the WLC. When I ping 10.0.1.254 I can see that the packets are exiting out of eth1 instead of VLAN100.

 

If I ping VLAN100's interface from the gateway, I can see the ICMP request packets hitting VLAN100, but the reply packets are all going out of eth1.

 

Has anyone run into this problem before?

8261
0 Kudos
5 REPLIES 5
rwpatterson
Valued Contributor III

Created on ‎06-07-2017 07:33 AM

neonbit wrote:

I've been testing a WLC config in my lab and ran into a strange issue regarding VLANs. I have eth1 configured with 10.1.1.1/24 and created VLAN100 on eth2 (VLAN id:100 IP: 10.0.0.1/24 GW: 10.0.1.254).

 

The problem is that I can't ping VLAN100's GW (10.0.1.254) from the WLC. When I ping 10.0.1.254 I can see that the packets are exiting out of eth1 instead of VLAN100.

 

If I ping VLAN100's interface from the gateway, I can see the ICMP request packets hitting VLAN100, but the reply packets are all going out of eth1.

 

Has anyone run into this problem before?

If what you wrote is correct, the gateway for VLAN 100 is not in the same subnet range as the IP on that interface. The network from the gateway perspective is 10.0.1 but the interface has 10.0.0. Check these and get back to us.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3088
0 Kudos
neonbit
Valued Contributor
In response to rwpatterson

Created on ‎06-07-2017 05:02 PM

I wish my problems were that simple :) Thanks Bob but unfortunately that was just a typo. Can confirm the IP/Subnet/GW are in the correct ranges.

 

Another thing I've noticed is that if I do a packet capture on the gateway (a FGT), I can see the ARP requests come out from the WLC for 10.0.1.254 and it gets the response (arp lookup on the WLC can see the GW IP and MAC).

 

All fingers point towards the gateway/subnet being incorrect but they are. I've tried to change the IP around just incase but still no go.

 

I've been looking for a way to bring up the routing table on the WLC but it's CLI is very simplistic, can't see anyway of displaying this. :(

3088
0 Kudos
neonbit
Valued Contributor
In response to neonbit

Created on ‎06-07-2017 05:54 PM

 

Below is a quick capture from the WLC. I've changed the VLAN interface here to be 10.0.7.1/24 and the GW is 10.0.7.254.

 

I pinged from the GW (.254) to the WLC (.1). The first capture shows the ICMP packets hitting the VLAN interface (INT 6). It also shows the WLC responding to an ARP request to the GW.

 

The second capture shows the ICMP replies going out of INT1.

 

The VLAN interface configuration looks like this:

 

VLAN Name : TEST-VLAN Tag : 100 Ethernet Interface Index : 2 IP Address : 10.0.7.1 Netmask : 255.255.255.0 IP Address of the Default Gateway : 10.0.7.254 Override Default DHCP Server Flag : off DHCP Server IP Address : 0.0.0.0 DHCP Relay Pass-Through : on Owner : controller Maximum number of clients : 253

 

Not sure if it matters, but this WLC is unlicensed. From my understanding this is fine as long as you have only 2 APs to manage (I'm only testing 1 AP), but not sure if it would also screw around with the routing.

3088
0 Kudos
rwpatterson
Valued Contributor III
In response to neonbit

Created on ‎06-08-2017 04:23 AM

What does the routing table on the FGT look like? The default gateway should have the highest number (of hops), and all else should be lower. If any other route has an equal number, that could be your issue. The default gateway is the interface of last resort, so it's distance should be the highest of all.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3088
0 Kudos
neonbit
Valued Contributor
In response to rwpatterson

Created on ‎06-08-2017 06:44 AM

The FGT has the correct routing table and is sending the packets over the correct interface. I believe the problem is only with the WLC. If it tries to ping 10.0.7.254, instead of sending the packet through the VLAN interface (which should be the directly connected interface as far as the routing is concerned) it's sending it out of eth1 which is on a totally separate subnet.

 

Not sure if I'm missing a step in my VLAN interface configuration on the WLC, looks pretty simple. Create the VLAN, assign it to eth2 and apply it to an ESS profile. Just doesn't seem to want to register the IP/SUBNET configured on the VLAN :(

3088
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.