Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lgupta
Staff
Staff

Created on ‎01-14-2024 10:39 PM

Article Id 294050

Technical Tip: 'Telnet to local telnet server is not allowed' error while doing telnet to IP from FortiGate

Description

 

This article explains why FortiGate replies 'Telnet to local telnet server is not allowed' when trying Telnet to an IP.

 

Scope

 

FortiGate.

 

Solution

 

Example Output:

 

FGT-61E # exe telnet 192.168.100.1 443

Telnet to local telnet server is not allowed   <----- Error message.

Command fail. Return code -61

 

  • Generally, the interfaces’ IP is checked and this IP is NOT assigned to any of them.
  • Try to PING this IP and will note that PING is working. DO NOT rely on this ping, as it can be unrealistic.

 

FGT-61E # exe ping 192.168.100.1

PING 192.168.100.1 (192.168.100.1): 56 data bytes

64 bytes from 192.168.100.1: icmp_seq=0 ttl=255 time=0.1 ms

64 bytes from 192.168.100.1: icmp_seq=1 ttl=255 time=0.1 ms

64 bytes from 192.168.100.1: icmp_seq=2 ttl=255 time=0.1 ms

64 bytes from 192.168.100.1: icmp_seq=3 ttl=255 time=0.2 ms

64 bytes from 192.168.100.1: icmp_seq=4 ttl=255 time=0.2 ms

 

--- 192.168.100.1 ping statistics ---

5 packets transmitted, 5 packets received, 0% packet loss

round-trip min/avg/max = 0.1/0.1/0.2 ms

 

Solution 1.

To resolve this issue, check if there is any IP POOL configured for the same IP:

 

config firewall ippool

    edit "dummy_pool"

        set type overload

        set startip 192.168.100.1

        set endip 192.168.100.1

        set arp-reply enable    <----- Disable this.

        set arp-intf ''

        set associated-interface ''

        set comments ''

        set nat64 disable

    next

end

 

'arp-reply' is set to enable. Disable that, and try again. After that, it will be possible to Telnet (if the server is real and relying on the specific port) and now try to PING the server, so it is possible to get accurate results.

 

Solution 2.

Check if there is any VIP configured with external IP as the same IP:

 

config firewall vip

    edit "dummy_vip"

        set id 0

        set uuid fba7eb8e-b2e4-51ee-6f81-bebaef8c8b72

        set comment ''

        set type static-nat

        set extip 192.168.100.1

        set nat44 enable

        set nat46 disable

        set mappedip "192.168.101.1"

        set extintf "any"

        set arp-reply enable    <----- Disable this.

        set nat-source-vip disable

        set portforward disable

        set gratuitous-arp-interval 0

        set ssl-client-rekey-count 0

        set color 0

    next

end

 

'arp-reply' is set to enable. Disable that, and try again. After that, it will be possible to Telnet (if the server is real and relying on the specific port) and now try to PING the server so, it is possible to get accurate results.

 

Related articles:

Technical Tip: ARP reply setting in Virtual IP/IP Pool

Technical Tip: IP pool and virtual IP behavior changes in FortiOS 6.4, 7.0, 7.2, and 7.4

473
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.