Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Mx7733
New Contributor

Created on ‎11-14-2019 07:57 AM

Browser cant reach destination, telnet can

Hi there,

 

Let me start off by saying I'm new to Fortigate. I just passe NSE-2 and are currently 'studying' NSE-3 and afterwards NSE-4. I work for a small service provider and kind of got the firewall thrown in my lap. Not that i mind, I like the challenge, but still there is a lot to learn...

 

With that in mind, I ran in to a conundrum. One of our clients has 9 stores with customer counters. One of these stores cannot connect with the server for updates. They all go though the same FW...

 

So i made a new policy for this location and get client-RST or Accept: IP connection error when using a laptop to go to the portal the counter should go. When I Telnet to the location I can reach it without problems or errors on the FW.

 

Can anyone tell me what I can troubleshoot next?

 

If anymore info is needed please tell me what you need. Thanks in advance

4886
0 Kudos
3 Solutions
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-14-2019 10:18 AM

Since you're a service provider, I assume those FGTs (or just one?) are brand-new. Then my best advise would be to use TAC support wisely as needed.

Anyway, you mentioned "all go through the same FW". Is it at their HQ location? How those stores can get to the "FW"? Over VPNs? Give us a little more info about the topology. 

View solution in original post

3572
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Mx7733

Created on ‎11-27-2019 07:57 AM

FGT = Fortigate

 

from the serial numbers "FGT-xxx" :)


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3572
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to ede_pfau

Created on ‎11-27-2019 07:59 AM

Unless you supply more information this is wild guessing. Not that I mind a challenge...

 

If telnet is allowed, and "going to" is not, then probably the service isn't allowed in policy 37.

Could you please post a screenshot, or the CLI (command line interface) equivalent "show firewall policy 37" in text form so that we can talk about that?

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3572
0 Kudos
6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

Created on ‎11-14-2019 10:18 AM

Since you're a service provider, I assume those FGTs (or just one?) are brand-new. Then my best advise would be to use TAC support wisely as needed.

Anyway, you mentioned "all go through the same FW". Is it at their HQ location? How those stores can get to the "FW"? Over VPNs? Give us a little more info about the topology. 

3573
0 Kudos
Mx7733
New Contributor
In response to Toshi_Esumi

Created on ‎11-27-2019 07:21 AM

I don't understand what a FGT is..

But we host their VPN and their breakout to the internet is through the firewall. Which I try to manage, poorly it seems. 

 

I've been googling the error messages, but come up short. How do I see what this means:

ActionAccept: IP connection errorThreat262144Policy37Policy UUIDbe146836-0133-51ea-36c1-0b2da7f5b7a8Policy Typepolicy

 

Does this mean an NAT error because op the IP? Shouldn't this be an port error then? And why does thsi have a green 'check' under result, even thou it doesn't work. 

And at the same time i have an unchecked result for;

Actionclient-rstPolicy37Policy UUIDbe146836-0133-51ea-36c1-0b2da7f5b7a8Policy Typepolicy

 

I do not understand what i should do with this error.

 

Regards,

 

Marnix

 

3523
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Mx7733

Created on ‎11-27-2019 07:57 AM

FGT = Fortigate

 

from the serial numbers "FGT-xxx" :)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3573
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to ede_pfau

Created on ‎11-27-2019 07:59 AM

Unless you supply more information this is wild guessing. Not that I mind a challenge...

 

If telnet is allowed, and "going to" is not, then probably the service isn't allowed in policy 37.

Could you please post a screenshot, or the CLI (command line interface) equivalent "show firewall policy 37" in text form so that we can talk about that?

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3573
0 Kudos
Mx7733
New Contributor
In response to ede_pfau

Created on ‎11-29-2019 05:42 AM

I sovled the problem, it wasnt the FW. 

 

The CPE had no MTU 1492 configured, but that was needed for the ISP connection. Changing the setting solved this. 

 

Thanks for trying to help!!

3523
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Mx7733

Created on ‎11-29-2019 06:35 AM

Glad you solved it in the end. Every solution may be helpful for others in the future.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
3523
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.