- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Weird issue with Fortinet
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Weird issue with Fortinet
Hi,
We are experiencing a very weird issue with Fortinet, we installed two Fortinet devices in two cities, topology is mentioned below :-
FORTINET_CITY1 >> CISCO-SWITCH_CITY1 >> ISP_R1_CITY1 ==VXLAN== ISP_R2_CITY2 >> CISCO ACI >> CISCO-SWITCH_CITY2 >> FORTINET_CITY2
The communication between FORTINET_CITY_1 and FORTINET_CITY_2 is disrupted suddenly, we did extensive troubleshooting but we couldn't able to locate the issue. The most strange thing is that, we configured layer-3 VLAN interface on CISCO-SWITCH_CITY1 and CISCO-SWITCH_CITY2 and both switches can able to ping each other. FORTINET_CITY1 is able to ping CISCO-SWITCH_CITY2 and CISCO-SWITCH_CITY1 but couldn't able to ping FORTINET_CITY2, on the other hand FORTINET_CITY2 can ping CISCO-SWITCH_CITY2 but cannot ping beyond that, we checked with ISP and they said no issue found, we can see the ARP request coming from FORTINET_CITY1 on FORTINET_CITY2 but we dont see that ARP request reaching to FORTINET_CITY1, it seems like that arp request is not going out of FORTINET_CITY2. Can someone suggest some idea, thanks
Labels:
- Labels:
-
FortiGate
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
- Is FG_City1 HA cluster and FG_City2 HA cluster as well? If so, make sure you used different cluster ID for each pair to avoid MAC conflict
- Do you see the ping requests leaving the FG with "diag sniffer packet"?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello ,
Thank you for contacting the Fortinet Forum portal.
I would recommend to verify first which topology scenario comes under and then start troubleshooting after checking configuration.
-You can review the below article for vxlan configuration with ISP in between two FortiGate:
-As suggested by @AEK run sniffer on each hop try to start ping from one of the ends to other and verify were the connection is dropping based on that you can verify the flow of traffic.
diagnose sniffer packet any "host x.x.x.x and host y.y.y.y" 4 0 l
ctrl+c to stop sniffer [x.x.x.x is IP address from source and y.y.y.y destination]
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, we tried sniffer on faulty side but it didnt help, we can see the ARP request coming from other city and it also responding back but dont understand why it is not going out of the ISP link
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can check the ARP tables of the FGTs and the MAC address table in the two edge switches. Are the two FGTs in the same L2 broadcast network? If yes both switches should have the MAC addresses of the FGTs.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we changed ISP link to second ISP it started working again
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Which device does the VxLAN encap/decap ? I would asume that the ISP routers are doing that and the rest of the devices on the network only 'speak' VLAN ?
If so, assuming that on the sw the port where FG2 connects to a port in access mode in the same VLAN ID on which you tested/create the SVI's from FGT1 which worked ?
geek
geek
Related Posts
- Forticlient Known Issues in Release Notes... 45 Views
- Ubuntu 24.04: Forticlient VPN installation w/... 149 Views
- Application Control and Web filter is... 304 Views
- VXLAN, Virtual Switch and MTU 149 Views
Labels
-
FortiGate
6,593 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
FortiAnalyzer
416 -
6.0
416 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.