Hello everyone,
We are using a Fortigate 120g. However, we can't open any website.
Ping and DNS works on the client and on the fortigate and the packets are forwarded on the fortigate without dropping any packets.
When we connect directly to the Fortigate 120g, we can access the Internet and open web pages without any delay.
When we disconnect the Fortigate 120g and connect our old firewall, everything works fine right away.
What we tried:
Configuring port speed 1000Full on our Cisco CL9200 switch and on the Fortigate 120g.
Do you have any idea how we can fix the problem?
Thank you in advance!
Best regards
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Ok, we fixed the problem.
It was a DNS problem.
Ping worked and DNS names were resolved, but web pages did not load.
With public DNS servers on the client, the sites loaded without delay.
With our internal DNS servers, the sites did not load.
This problem was caused by a subnet that was configured on the Mgmt port on the firewall.
This subnet overlapped with our internal DNS server subnet.
We found this out by performing the following steps:
Ping from firewall to internal DNS server works.
Ping from DNS server to firewall didn't work.
nslookup www.google.com internal DNS server
like nslookup www.google.com 172.1.1.10 (we got two timeouts before the DNS name was resolved)
I hope this solution helps someone.
Regards
Ralf
Hi Rafi,
Is this happening to all the websites or some of them.
Next Steps Listed below:
Disable all UTM inspection at the Policy including certificate inspection --- Important
Bypass Switch try with direct connection. ---- Important
Press F12 and that will bring up the inspection at the web browser.
Run a wireshark from the PC itself see if it is a fragmentation issue.
Hi Salem,
Thanks for your help!
This happens to all websites and cients in our network.
UTM checking is disabled.
Bypass switch works fine. No delay in loading sites.
I can check the inspection tomorrow and will post the result here, but I don't think it's a fragmentation issue because we have this problem on all clients and when I change my Fortigate back to my Sonicwall everything works.
I'll be very grateful if you have any further advice for me.
Ralf
Hi Ralf,
Check the switch port speed, half duplex and full duplex mode, check for STP loops or broadcast issues, make sure that you not getting a IP address conflict, configure port security example steps can be found here https://networklessons.com/switching/how-to-configure-port-security-on-cisco-switch
Hi Salem,
STP is enabled.
Both ports on the firewall and switch are configured to 1000Full (no auto negotiation).
No IP address conflict. We have already checked this.
Port security is enabled on the Cisco switch.
I'm struggeling very hard on this problem...
I appreciate any help and idea on this issue.
Ralf
FYI: We are facing a strange behavior. We are not able to ping from any client through the firewall when we restart the firewall until we ping from the Fortigate to our core switch. The ping from Fortigate to our core switch does not work on the first try. On the second try, it works. At this moment, the ping from the client through the firewall is working.
Does anyone know what this behavior means?
Ralf
Share me the FortiGate interface configuration that is connected with the Switch also which VLAN are you passing. It looks like a gateway resolve issue to me.
The Ideal flow should be like this :
Host----------Access Port (VLAN-10)--Switch--Trunk Port--------(gateway)Foortigate--Internet
Please ignore that the LAN port is not connected because we are still using the old firewall.
This is a small picture of the configuration of the network:
Ralf
Yes, thats how we configured it.
Can you do a trace route from the Host to the Firewall VLAN gateway and see where the traffic is getting dropped
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.