Hello everyone,
We are using a Fortigate 120g. However, we can't open any website.
Ping and DNS works on the client and on the fortigate and the packets are forwarded on the fortigate without dropping any packets.
When we connect directly to the Fortigate 120g, we can access the Internet and open web pages without any delay.
When we disconnect the Fortigate 120g and connect our old firewall, everything works fine right away.
What we tried:
Configuring port speed 1000Full on our Cisco CL9200 switch and on the Fortigate 120g.
Do you have any idea how we can fix the problem?
Thank you in advance!
Best regards
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ok, we fixed the problem.
It was a DNS problem.
Ping worked and DNS names were resolved, but web pages did not load.
With public DNS servers on the client, the sites loaded without delay.
With our internal DNS servers, the sites did not load.
This problem was caused by a subnet that was configured on the Mgmt port on the firewall.
This subnet overlapped with our internal DNS server subnet.
We found this out by performing the following steps:
Ping from firewall to internal DNS server works.
Ping from DNS server to firewall didn't work.
nslookup www.google.com internal DNS server
like nslookup www.google.com 172.1.1.10 (we got two timeouts before the DNS name was resolved)
I hope this solution helps someone.
Regards
Ralf
Okay that is working fine, now the issue is from the Host the traffic is not working, tell me if you can ping 8.8.8.8 from the host itself or not and also can you ping www.google.com or not.
Both are working from the client.
But the websites are still not loading...
Ralf
Hello @FortinetBeginner
If you can access website fine when connected to FortiGate and have no problem pinging directly from the FortiGate seems like issue on the switch.
Can you make sure when switch is connected, and you access the website, does traffic reach the FortiGate?
you can check it with diagnose sniffer packet any 'host source_IP' 4 0 l
It seems to be issue on switch.
Hi Hiral,
I'm not sure if the problem is my switch, because with the old firewall everything works plug & play.
Attached is the screenshot of my diagnostic sniffer.
Ralf
Hi Hiral,
do you have any advice on how I can continue to troubleshoot my internal network?
Ralf
do one think at the Firewall check the Forward logs and run the following debug
di de dis
di de reset
di de flow filter addr <Host-IP>
di de flow filter port 443
di de console timestamp en
di de flow trace start 999
di de en
To stop the debug use the command given below
di de dis
di de reset
Let us see if the Firewall is dropping any packets, then you can bypass the switch and connect the host directly with the Firewall and see if that works or not. Also make sure that you have the webfilter active license and fortiguard up and running if you are using the webfilter at the Policy.
Created on 07-27-2024 01:54 PM Edited on 07-28-2024 02:17 AM
C0EAE46988C4 # di de dis
C0EAE46988C4 # di de reset
C0EAE46988C4 # di de flow filter addr 10.102.29.12
C0EAE46988C4 # di de flow filter port 443
C0EAE46988C4 # di de flow console timestamp en
command parse error before 'console'
Command fail. Return code -61
C0EAE46988C4 # di de console timestamp en
C0EAE46988C4 # di de flow trace start 999
C0EAE46988C4 # di de en
C0EAE46988C4 # 2024-07-27 22:51:58 id=20085 trace_id=1 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57344->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [S], seq 2474954773, ack 0, win 64240"
2024-07-27 22:51:58 id=20085 trace_id=1 func=init_ip_session_common line=6133 msg="allocate a new session-00057276, tun_id=0.0.0.0"
2024-07-27 22:51:58 id=20085 trace_id=1 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-62.1.1.1 via port4"
2024-07-27 22:51:58 id=20085 trace_id=1 func=get_new_addr line=1227 msg="find DNAT: IP-62.157.152.173, port-57344"
2024-07-27 22:51:58 id=20085 trace_id=1 func=fw_forward_handler line=888 msg="Allowed by Policy-10027: SNAT"
2024-07-27 22:51:58 id=20085 trace_id=1 func=ip_session_confirm_final line=3187 msg="npu_state=0x4000000, hook=4"
2024-07-27 22:51:58 id=20085 trace_id=1 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.157.152.173:57344"
2024-07-27 22:51:58 id=20085 trace_id=2 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 213.182.13.45:443->62.1.1.1:57344) tun_id=0.0.0.0 from port4. flag [S.], seq 36358557, ack 2474954774, win 8190"
2024-07-27 22:51:58 id=20085 trace_id=2 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057276, reply direction"
2024-07-27 22:51:58 id=20085 trace_id=2 func=__ip_session_run_tuple line=3559 msg="DNAT 62.1.1.1:57344->10.102.29.12:57344"
2024-07-27 22:51:58 id=20085 trace_id=2 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.255.255.30 via port1"
2024-07-27 22:51:58 id=20085 trace_id=2 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000000"
2024-07-27 22:51:58 id=20085 trace_id=2 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=2 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000800"
2024-07-27 22:51:58 id=20085 trace_id=3 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57344->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [.], seq 2474954774, ack 36358558, win 1026"
2024-07-27 22:51:58 id=20085 trace_id=3 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057276, original direction"
2024-07-27 22:51:58 id=20085 trace_id=3 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port1 to port4, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000800"
2024-07-27 22:51:58 id=20085 trace_id=3 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=3 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000c00"
2024-07-27 22:51:58 id=20085 trace_id=3 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.1.1.1:57344"
2024-07-27 22:51:58 id=20085 trace_id=4 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57345->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [S], seq 1869077718, ack 0, win 64240"
2024-07-27 22:51:58 id=20085 trace_id=4 func=init_ip_session_common line=6133 msg="allocate a new session-00057278, tun_id=0.0.0.0"
2024-07-27 22:51:58 id=20085 trace_id=4 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-62.1.1.1 via port4"
2024-07-27 22:51:58 id=20085 trace_id=4 func=get_new_addr line=1227 msg="find DNAT: IP-62.157.152.173, port-57345"
2024-07-27 22:51:58 id=20085 trace_id=4 func=fw_forward_handler line=888 msg="Allowed by Policy-10027: SNAT"
2024-07-27 22:51:58 id=20085 trace_id=4 func=ip_session_confirm_final line=3187 msg="npu_state=0x4000000, hook=4"
2024-07-27 22:51:58 id=20085 trace_id=4 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.1.1.1:57345"
2024-07-27 22:51:58 id=20085 trace_id=5 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 213.182.13.45:443->62.1.1.1:57345) tun_id=0.0.0.0 from port4. flag [S.], seq 1810122540, ack 1869077719, win 8190"
2024-07-27 22:51:58 id=20085 trace_id=5 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057278, reply direction"
2024-07-27 22:51:58 id=20085 trace_id=5 func=__ip_session_run_tuple line=3559 msg="DNAT 62.1.1.1:57345->10.102.29.12:57345"
2024-07-27 22:51:58 id=20085 trace_id=5 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.255.255.30 via port1"
2024-07-27 22:51:58 id=20085 trace_id=5 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port4 to port1, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000000"
2024-07-27 22:51:58 id=20085 trace_id=5 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=5 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000800"
2024-07-27 22:51:58 id=20085 trace_id=6 func=print_pkt_detail line=5953 msg="vd-root:0 received a packet(proto=6, 10.102.29.12:57345->213.182.13.45:443) tun_id=0.0.0.0 from port1. flag [.], seq 1869077719, ack 1810122541, win 1026"
2024-07-27 22:51:58 id=20085 trace_id=6 func=resolve_ip_tuple_fast line=6039 msg="Find an existing session, id-00057278, original direction"
2024-07-27 22:51:58 id=20085 trace_id=6 func=npu_handle_session44 line=1243 msg="Trying to offloading session from port1 to port4, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x04000800"
2024-07-27 22:51:58 id=20085 trace_id=6 func=ip_session_install_npu_session line=367 msg="npu session installation succeeded"
2024-07-27 22:51:58 id=20085 trace_id=6 func=fw_forward_dirty_handler line=412 msg="state=00010204, state2=00000001, npu_state=04000c00"
2024-07-27 22:51:58 id=20085 trace_id=6 func=__ip_session_run_tuple line=3546 msg="SNAT 10.102.29.12->62.1.1.1:57345"
di de dis
Ralf
Great job, now make sure you stop the debug using the command
di de dis
di de reset.
We can see bidirectional traffic flow, do clear the cache at the browser or use private window and try one more time. If you can then bypass the switch and try and ensure that no web filter is there at the policy id 10027.
There is no web filter set on policy id 10027.
We are using different machines and different browsers (including a private window) and we are not getting a fully loaded website. The website tries to load, but it never loads completely and in most cases the web browser says "website is not loading" or "website is not reachable" or "check your internet connection".
Is there anything else that we can look at?
Ralf
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.