Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Atothendy
New Contributor II

LMI behind dual NAT not connecting

Hi All;

 

I'm hoping for some guidance on a strange situation. We run an FG60E (7.0.7), trunking a few VLANs via unifi switches. (192.168.1.x/24, 10.15.x.x.)

A third party has a Sonicwall inside this network, the WAN on the sonicwall is 192.168.1.x and attaches to our VLAN1 network. The LAN side on the sonicwall is 10.120.x. There's no subnet conflicts.

 

A computer on our 10.15.x address can, reportedly, connect to LogMeIn Connect and establish a connection fine. I don't have visibility to their LMI platform to validate this but I do have control and access to the computer

A computer on the vendor's 10.120.x network can connect to LMI, but cannot actually establish remote control.  I've got control and access to the computer and temporarily have created a LMI trial just so I can observe from my end.

 

What the third party is seeing on the vendor computer(and I can confirm) is that Bomgar, TacticalRMM and LMI are all establishing back-channels, but whenever someone tries to connect for screen sharing, it just times out or generates an error. I also have ScreenConnect and Splashtop on this computer and they connect fine.

 

The vendor is annoyed because "all our networks are the same across 30+ clients, and our upstream partner has the same deployment across hundreds, so what are you doing wrong" (For the record, we work with another similar client and they have the same vendor and it's NOT the same at all)

 

I've turned off all my IDS, Application control and everything else. The firewall rule for outbound traffic is now:

 

 

config firewall policy
    edit 1
        set name "Default Outbound"
        set uuid 80740d4e-0192-51ed-5497-xxxxx
        set srcintf "internal" "aaa" "yyyy"
        set dstintf "WAN"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set tcp-session-without-syn all
        set logtraffic all
        set nat enable
    next
end

 

 

 

the "TCP-session-without-syn" I just added today but it makes no difference.

 

I need to double check I'm not doing anything incorrectly on the FG at all. I've got another device to take and test a few alternate configurations tomorrow, but I can't see what i'm doing wrong, if anything here.

 

I got a pcap file from the fortigate and while I haven't done substantial pcap reading in a long time, I did notice lots of dupes, and SYN-ECN-CWR flags. (which is why I tried the session without syn above)

 

I haven't reached out to TAC yet, but that's on my roadmap to do otherwise.

 

I have also, incidently, tried to disable ECN on the endpoint in question (Server 2019)

 

 

 

2 REPLIES 2
AlexC-FTNT
Staff
Staff

"TCP-session-without-syn" and enabling asymmetric-routing should make no difference.

Make sure you did not 'mistakenly' disabled any session-helper or SIP-ALG.

Then collect the packet capture without any change on the policy. 

Also, a very simple test: try to establish connection from behind the FortiGate directly, not through 2 firewalls. You should be sure where the problem comes from (FG or other firewall)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
gfleming
Staff
Staff

Can they disable NAT on the Sonicwall? Add a route on the FGT for the 10.120.x network pointing to the Sonicwall. See if it works when you disable one layer of NAT.

Cheers,
Graham
Labels
Top Kudoed Authors