I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet. Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).
I cant ping 10.1.0.90 on any of the VLANs except the VLAN the gateway was a member of. Once I dumped a PC onto the VLAN 10.1.x.x, I was able to ping that address with no problem. It looks like a 802.1Q issues. I ran some debugging commands on the Fortigate and the 4500. I setup a running ping from my pc on another VLAN to ping the address on the 10.1.x.x VLAN. The packet is arriving but as you can see, has issues. From the Fortigate: id=13 trace_id=286 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.20.3:1->10.1.0.90:8) from VLAN 20." id=13 trace_id=286 func=init_ip_session_common line=4428 msg="allocate a new session-0034069f" id=13 trace_id=286 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop" id=13 trace_id=286 func=ip_session_handle_no_dst line=4490 msg="trace" # get router info routing-table all C 10.1.0.0/20 is directly connected, port1 C 10.1.20.0/24 is directly connected, VLAN 20 I have read in other website that running the following command will correct the issue
config system settings set asymroute enable end
I ran the command in order to try the solution an it worked. The VLAN 20 can go to the internet nevertheless "If you enable asymmetric routing, antivirus and intrusion prevention systems will not be effective. Your FortiGate unit will be unaware of connections and treat each packet individually. It will become a stateless firewall".(FortiOs Handbook)
The asymmetric routing is when the FortiGate unit recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack, I am creating VLAN subinterfaces in the same port where the core routes all traffic to internet
SW-CORE#sh ip route Gateway of last resort is 10.1.0.90 to network 0.0.0.0 10.0.0.0/8 is variably subnetted, 32 subnets, 3 masks C 10.1.0.0/20 is directly connected, Vlan1 C 10.1.30.0/24 is directly connected, Vlan30 C 10.1.20.0/24 is directly connected, Vlan20 S* 0.0.0.0/0 [1/0] via 10.1.0.90
Any advice since I do not want to enable asymmetric routing.
Best Regards,
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
laldana wrote:I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet. Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).
I belive we should move all the inter-vlan routing and gateway addresses to Fortigate or don't configure any vlans on fortigate and send untagged traffic to Fortigate.
It seems both fortigate and 4500 is doing Inter-vlan routing which is strange.
If you want to firewall the traffic between vlans, remove all the inter vlan routing (L3 functions) from 4500 and configure it on Fortigate.
2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_route_input_slow line=2240 msg="reverse path check fail, drop" 2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_session_handle_no_dst line=5150 msg="trace" 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=print_pkt_detail line=4930 msg="vd-VPSD157-ATE received a packet(proto=1, 192.168.250.50:1->10.100.130.11:2048) from ATE-MPLS. type=8, code=0, id=1, seq=639." 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-8b17dac3, original direction"
can anyone help ?
laldana wrote:I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet. Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).
I belive we should move all the inter-vlan routing and gateway addresses to Fortigate or don't configure any vlans on fortigate and send untagged traffic to Fortigate.
It seems both fortigate and 4500 is doing Inter-vlan routing which is strange.
If you want to firewall the traffic between vlans, remove all the inter vlan routing (L3 functions) from 4500 and configure it on Fortigate.
Thanks for your response ashukla,
I delete all vlan subinterfaces in the fortigate and set the port of the cisco in untagged mode.
I read that setting the port in access mode you will send untagged traffic in that specific port
#sh run int gig X/X
interface GigabitEthernetX/X switchport mode access end
nevertheless the fortigate is still giving me problems as the vlan 30 cant reach the fortigate ip interface 10.1.0.90
id=13 trace_id=2499 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.30.3:1->10.1.0.90:8) from port1." id=13 trace_id=2499 func=init_ip_session_common line=4430 msg="allocate a new session-0b66254d" id=13 trace_id=2499 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop" id=13 trace_id=2499 func=ip_session_handle_no_dst line=4493 msg="trace" id=13 trace_id=2500 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.30.3:1->10.1.0.90:8) from port1." id=13 trace_id=2500 func=init_ip_session_common line=4430 msg="allocate a new session-0b662810" id=13 trace_id=2500 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop" id=13 trace_id=2500 func=ip_session_handle_no_dst line=4493 msg="trace"
¿Any advice?
I finally figure out. I just needed to add the route on the fortigate in order to make the subnet accesible for the fortigate.
Thanks ashukla.
Hi have you configured the route on your fortigate to route traffic that`s coming from vlan 30?
2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_route_input_slow line=2240 msg="reverse path check fail, drop" 2019-03-13 10:36:53 id=20085 trace_id=5715801 func=ip_session_handle_no_dst line=5150 msg="trace" 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=print_pkt_detail line=4930 msg="vd-VPSD157-ATE received a packet(proto=1, 192.168.250.50:1->10.100.130.11:2048) from ATE-MPLS. type=8, code=0, id=1, seq=639." 2019-03-13 10:36:57 id=20085 trace_id=5715802 func=resolve_ip_tuple_fast line=4994 msg="Find an existing session, id-8b17dac3, original direction"
can anyone help ?
I have on L3 avaya switch
switch have 2 vlans
vlan 10 with ip address 30.30.30.3 255.255.255.0
vlan 20 with ip address 20.20.20.3 255.255.255.0
intervlan routing is activated on both and ip routing is ON on all eth
vlan 10 have ports 11-24
vlan 20 have ports 2-10
on vlan 20 i am connecting fortigate firewall 60c interface ip address is 20.20.20.4 and connecting 1 pc that got ip from fortigate DHCP pool 20.20.20.6
on vlan 10 pc is connected ip address 30.30.30.4
on firewall side i have cable to WAN 1 with ip 172.16.100.1 and my firewall got ip address 172.16.100.132
internet on firewall is working also on pc on vlan 20 (same firewall's vlan )
but on vlan 10 i have no internet access even know pc on vlan 10 can ping firewall and access GUI and firewall can ping it also
as per static route i have
0.0.0.0/0.0.0.0 to wan 1 and default gateway is 172.16.100.1
30.30.30.0/255.255.255.0 internal gateway 20.20.20.3
policy is set all to all , Nat is activated on all interfaces
how can I allow pc on vlan 10 to access internet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.