I have a client with a a fortigate 70d, everything has been running fine since few months but now suddenly some windows machines are just not pinging the fortigate 70d lan interface IP. Ping is enabled on the fgt lan port as well.
Also user identity policies using ldap server are in place here and users can only get on to the internet through that. The machines which are facing the problems simply dont even ask for user auth in the browser as they cant get to the FGT in the first place. These machines which cant ping the gatewat fgt are able to ping the ldap server and other PCs on the network.
I also enabled debugging on the FGT to check for incoming packets and none show up.
FGT# diag debug enable FGT# diag debug flow filter add <PC1> FGT# diag debug flow show console enable FGT# diag debug flow trace start 100 FGT# diag debug enable Simple nothing shows up. This same office has other PCs which are using the internet fine as per the user id policies and also ping the fgt. My next course of action is to try wireshark to see what's wrong. Has anyone faced something like before? Any ideas also really appreciated. Thanks.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Use the built-in sniffer on the FGT to look into the traffic on your LAN side:
diag sniffer packet lan 'icmp and host 192.168.333.444' 4This will show all pings on the LAN side involving host 192.168.333.444 (yes, these values are placeholders...).
If you don't even see these pings then your PCs have a real problem. Check the software firewall (Windows, AV suite) first.
You can also sniff for protocol 'arp' for ARP requests. Start with pinging the FGT's LAN interface (to exclude routing issues).
Are you, by any chance, using VLANs?
HI thanks for the response.
From the wireshark capture i can see some STP packets related to the fortinet's lan interface. I dont have any idea on reading that data or using wireshark yet, but it clearly showed no icmp packets at all on the PCs with the issue and then i started connecting the PCs straight to fgt's internal port as the device is in switch mode and then used another small switch for some more problem PCs and things started working for now.
I have opened tickets with both fortinet and HP for the issue and handed the WS capture to fortinet, (the geniuses at hp dont even let you attach WS packet capture file).
But still some random PC somewhere would stop pinging the others or would stop pinging the gateway or drop its dhcp leased out ip, from the client's complaints.
For now i am down to figuring out if stp is acting weird here.
Not using VLANs at all. Also could you explain how does that place holder thing work? Never seen that IP before and googling it brought me back to this post itself.
ps: the forum's image and file uploading is not working correctly here
If you think of an STP issue you could take the FGT's interfaces out of STP. System > Interfaces, disable 'Use STP'. This option is enabled per default in v5.2.
A few years later an I'm seeing the same issue on our 900D HA pair.
We have about 10 different FGT Interfaces in use and the 10GB PORTA is divided into several VLANs.
One of these PORTA VLANs (10.0.0.0/22) has stopped replying to "pings" to the GW but the others haven't.
All of the other Interface GW's are working.
This firewall has been working fine for two years so for this to happen, and we do know the exact time it happened because several system and our alerting system that pings this GW all reported that it failed at 4:18:28PM give or take 10-sec 4/5/2017. One of this systems that failed at the time was vSphere HA.
Fortigate support has told me that its a problem with my VLAN tagging and I reject that for reason stated above.
As someone who has a support agreement I've pushed back so my question to the forum is has anyone else seen this?
I've needed to reboot this HA pair several time over the last two years and had to RMA one because of a failed drive but I can't reboot right now because of 24/7 business requirements.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.