Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Websites are not loading - Fortigate 120g
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Websites are not loading - Fortigate 120g
Hello everyone,
We are using a Fortigate 120g. However, we can't open any website.
Ping and DNS works on the client and on the fortigate and the packets are forwarded on the fortigate without dropping any packets.
When we connect directly to the Fortigate 120g, we can access the Internet and open web pages without any delay.
When we disconnect the Fortigate 120g and connect our old firewall, everything works fine right away.
What we tried:
Configuring port speed 1000Full on our Cisco CL9200 switch and on the Fortigate 120g.
Do you have any idea how we can fix the problem?
Thank you in advance!
Best regards
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, we fixed the problem.
It was a DNS problem.
Ping worked and DNS names were resolved, but web pages did not load.
With public DNS servers on the client, the sites loaded without delay.
With our internal DNS servers, the sites did not load.
This problem was caused by a subnet that was configured on the Mgmt port on the firewall.
This subnet overlapped with our internal DNS server subnet.
We found this out by performing the following steps:
Ping from firewall to internal DNS server works.
Ping from DNS server to firewall didn't work.
nslookup www.google.com internal DNS server
like nslookup www.google.com 172.1.1.10 (we got two timeouts before the DNS name was resolved)
I hope this solution helps someone.
Regards
Ralf
36 REPLIES 36
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay that is working fine, now the issue is from the Host the traffic is not working, tell me if you can ping 8.8.8.8 from the host itself or not and also can you ping www.google.com or not.
Salem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both are working from the client.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But the websites are still not loading...
Ralf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @FortinetBeginner
If you can access website fine when connected to FortiGate and have no problem pinging directly from the FortiGate seems like issue on the switch.
Can you make sure when switch is connected, and you access the website, does traffic reach the FortiGate?
you can check it with diagnose sniffer packet any 'host source_IP' 4 0 l
It seems to be issue on switch.
Hiral
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hiral,
I'm not sure if the problem is my switch, because with the old firewall everything works plug & play.
Attached is the screenshot of my diagnostic sniffer.
Ralf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hiral,
do you have any advice on how I can continue to troubleshoot my internal network?
Ralf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
do one think at the Firewall check the Forward logs and run the following debug
di de dis
di de reset
di de flow filter addr <Host-IP>
di de flow filter port 443
di de console timestamp en
di de flow trace start 999
di de en
To stop the debug use the command given below
di de dis
di de reset
Let us see if the Firewall is dropping any packets, then you can bypass the switch and connect the host directly with the Firewall and see if that works or not. Also make sure that you have the webfilter active license and fortiguard up and running if you are using the webfilter at the Policy.
Salem
Created on 07-27-2024 01:54 PM Edited on 07-28-2024 02:17 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
C0EAE46988C4 # di de dis
C0EAE46988C4 # di de reset
C0EAE46988C4 # di de flow filter addr 10.102.29.12
C0EAE46988C4 # di de flow filter port 443
C0EAE46988C4 # di de flow console timestamp en
command parse error before 'console'
Command fail. Return code -61
C0EAE46988C4 # di de console timestamp en
C0EAE46988C4 # di de flow trace start 999
C0EAE46988C4 # di de en
C0EAE46988C4 # 2024-07-27 22:51:58 id=20085 trace_id=1 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57344->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [S], seq 2474954773, ack 0, win 64240"
2024-07-27 22:51:58 id=20085 trace_id=1 func=init_ip_session_common line=6133 msg="allocate a new session-00057276, tun_id=0.0.0.0"
2024-07-27 22:51:58 id=20085 trace_id=1 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-62.1.1.1 via port4"
2024-07-27 22:51:58 id=20085 trace_id=1 func=get_new_addr line=1227 msg="find DNAT: IP-62.157.152.173, port-57344"
2024-07-27 22:51:58 id=20085 trace_id=1 func=fw_forward_handler line=888 msg="Allowed by Policy-10027: SNAT"
2024-07-27 22:51:58 id=20085 trace_id=1 func=ip_session_confirm_final line=3187 msg="npu_state=0x4000000, hook=4"
2024-07-27 22:51:58 id=20085 trace_id=1 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.157.152.173:57344"
2024-07-27 22:51:58 id=20085 trace_id=2 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 213.182.13.45:443->62.1.1.1:57344) tun_id=0.0.0.0 from port4. flag [S.], seq 36358557, ack 2474954774, win 8190"
2024-07-27 22:51:58 id=20085 trace_id=2 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057276, reply direction"
2024-07-27 22:51:58 id=20085 trace_id=2 func=__ip_session_run_tuple line=3559 msg="DNAT 62.1.1.1:57344->10.102.29.12:57344"
2024-07-27 22:51:58 id=20085 trace_id=2 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.255.255.30 via port1"
2024-07-27 22:51:58 id=20085 trace_id=2 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000000"
2024-07-27 22:51:58 id=20085 trace_id=2 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=2 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000800"
2024-07-27 22:51:58 id=20085 trace_id=3 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57344->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [.], seq 2474954774, ack 36358558, win 1026"
2024-07-27 22:51:58 id=20085 trace_id=3 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057276, original direction"
2024-07-27 22:51:58 id=20085 trace_id=3 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port1 to port4, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000800"
2024-07-27 22:51:58 id=20085 trace_id=3 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=3 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000c00"
2024-07-27 22:51:58 id=20085 trace_id=3 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.1.1.1:57344"
2024-07-27 22:51:58 id=20085 trace_id=4 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57345->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [S], seq 1869077718, ack 0, win 64240"
2024-07-27 22:51:58 id=20085 trace_id=4 func=init_ip_session_common line=6133 msg="allocate a new session-00057278, tun_id=0.0.0.0"
2024-07-27 22:51:58 id=20085 trace_id=4 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-62.1.1.1 via port4"
2024-07-27 22:51:58 id=20085 trace_id=4 func=get_new_addr line=1227 msg="find DNAT: IP-62.157.152.173, port-57345"
2024-07-27 22:51:58 id=20085 trace_id=4 func=fw_forward_handler line=888 msg="Allowed by Policy-10027: SNAT"
2024-07-27 22:51:58 id=20085 trace_id=4 func=ip_session_confirm_final line=3187 msg="npu_state=0x4000000, hook=4"
2024-07-27 22:51:58 id=20085 trace_id=4 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.1.1.1:57345"
2024-07-27 22:51:58 id=20085 trace_id=5 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 213.182.13.45:443->62.1.1.1:57345) tun_id=0.0.0.0 from port4. flag [S.], seq 1810122540, ack 1869077719, win 8190"
2024-07-27 22:51:58 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057278, reply direction"
2024-07-27 22:51:58 id=20085 trace_id=5 func=__ip_session_run_tuple line=3559 msg="DNAT 62.1.1.1:57345->10.102.29.12:57345"
2024-07-27 22:51:58 id=20085 trace_id=5 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.255.255.30 via port1"
2024-07-27 22:51:58 id=20085 trace_id=5 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000000"
2024-07-27 22:51:58 id=20085 trace_id=5 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=5 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000800"
2024-07-27 22:51:58 id=20085 trace_id=6 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57345->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [.], seq 1869077719, ack 1810122541, win 1026"
2024-07-27 22:51:58 id=20085 trace_id=6 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057278, original direction"
2024-07-27 22:51:58 id=20085 trace_id=6 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port1 to port4, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000800"
2024-07-27 22:51:58 id=20085 trace_id=6 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=6 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000c00"
2024-07-27 22:51:58 id=20085 trace_id=6 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.1.1.1:57345"
di de dis
Ralf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great job, now make sure you stop the debug using the command
di de dis
di de reset.
We can see bidirectional traffic flow, do clear the cache at the browser or use private window and try one more time. If you can then bypass the switch and try and ensure that no web filter is there at the policy id 10027.
Salem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no web filter set on policy id 10027.
We are using different machines and different browsers (including a private window) and we are not getting a fully loaded website. The website tries to load, but it never loads completely and in most cases the web browser says "website is not loading" or "website is not reachable" or "check your internet connection".
Is there anything else that we can look at?
Ralf
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,607 -
FortiClient
1,735 -
5.2
801 -
FortiManager
719 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
468 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
234 -
Fortiweb
203 -
IPsec
201 -
5.0
196 -
FortiNAC
185 -
FortiGuard
138 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
98 -
FortiCloud Products
96 -
FortiAuthenticator
94 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
55 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
36 -
FortiGate v5.4
35 -
SAML
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 226 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.