Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
arie_arie
New Contributor

Created on ‎04-17-2024 01:43 AM

Routing Issue on FortiGate 7.2.8

Hi,

I'm simulating FortiGate 7.2.8 in PNet and I found an issue with forwarding packet or maybe routing issue.

The topology as attached below

Topology.jpg

 

 

The R7 and R8 are able to ping the IP in FortiGate interface.

R7#ping 20.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R7#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/5 ms

 

R8#ping 10.10.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R8#ping 20.20.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router#

 

But whenever the R7 ping to R8 or vice versa, the ping is RTO.

R8#ping 20.20.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

In FortiGate, the firewall policy already configured

config firewall policy
    edit 1
        set srcintf "any"
        set dstintf "any"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

 

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.240
        set allowaccess ping
        set type physical
        set snmp-index 1
    next
    edit "port2"
        set vdom "root"
        set ip 20.20.20.1 255.255.255.240
        set allowaccess ping
        set type physical
        set snmp-index 2
    next
end

 

Since the network is directly connected on FortiGate, I believe that I don't need to specify any static route.

FortiGate-VM64-KVM # get router info routing-table database
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       V - BGP VPNv4
       > - selected route, * - FIB route, p - stale info

Routing table for VRF=0
C    *> 10.10.10.0/28 is directly connected, port1
C    *> 20.20.20.0/28 is directly connected, port2


FortiGate-VM64-KVM # get router info kernel
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/32 pref=10.10.10.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.1/32 pref=10.10.10.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.15/32 pref=10.10.10.1 gwy=0.0.0.0 dev=3(port1)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.255.1.0/32 pref=10.255.1.1 gwy=0.0.0.0 dev=12(fortilink)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.255.1.1/32 pref=10.255.1.1 gwy=0.0.0.0 dev=12(fortilink)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.255.1.255/32 pref=10.255.1.1 gwy=0.0.0.0 dev=12(fortilink)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->20.20.20.0/32 pref=20.20.20.1 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->20.20.20.1/32 pref=20.20.20.1 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->20.20.20.15/32 pref=20.20.20.1 gwy=0.0.0.0 dev=4(port2)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=8(root)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=8(root)
tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=8(root)
tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=8(root)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/28 pref=10.10.10.1 gwy=0.0.0.0 dev=3(port1)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.255.1.0/24 pref=10.255.1.1 gwy=0.0.0.0 dev=12(fortilink)
tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->20.20.20.0/28 pref=20.20.20.1 gwy=0.0.0.0 dev=4(port2)

 

Running debug flow, here is the output:

id=65308 trace_id=1 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 20.20.20.2:3->10.10.10.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=3, seq=0."
id=65308 trace_id=1 func=init_ip_session_common line=6080 msg="allocate a new session-0000004d, tun_id=0.0.0.0"
id=65308 trace_id=1 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]"
id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=1 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port1"
id=65308 trace_id=2 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 20.20.20.2:3->10.10.10.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=3, seq=1."
id=65308 trace_id=2 func=init_ip_session_common line=6080 msg="allocate a new session-0000004e, tun_id=0.0.0.0"
id=65308 trace_id=2 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]"
id=65308 trace_id=2 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=2 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=2 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port1"
id=65308 trace_id=3 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 20.20.20.2:3->10.10.10.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=3, seq=2."
id=65308 trace_id=3 func=init_ip_session_common line=6080 msg="allocate a new session-0000004f, tun_id=0.0.0.0"
id=65308 trace_id=3 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]"
id=65308 trace_id=3 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=3 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=3 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port1"
id=65308 trace_id=4 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 20.20.20.2:3->10.10.10.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=3, seq=3."
id=65308 trace_id=4 func=init_ip_session_common line=6080 msg="allocate a new session-00000050, tun_id=0.0.0.0"
id=65308 trace_id=4 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]"
id=65308 trace_id=4 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=4 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=4 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port1"
id=65308 trace_id=5 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 20.20.20.2:3->10.10.10.2:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=3, seq=4."
id=65308 trace_id=5 func=init_ip_session_common line=6080 msg="allocate a new session-00000051, tun_id=0.0.0.0"
id=65308 trace_id=5 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]"
id=65308 trace_id=5 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=5 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=5 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port1"


FortiGate-VM64-KVM # diagnose sniffer  packet any 'host 10.10.10.2 and icmp' 4 0 1
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.10.10.2 and icmp]
3.229951 port2 in 20.20.20.2 -> 10.10.10.2: icmp: echo request
5.231535 port2 in 20.20.20.2 -> 10.10.10.2: icmp: echo request
7.230794 port2 in 20.20.20.2 -> 10.10.10.2: icmp: echo request
9.231431 port2 in 20.20.20.2 -> 10.10.10.2: icmp: echo request
11.233755 port2 in 20.20.20.2 -> 10.10.10.2: icmp: echo request

 

Is there anything missing from FortiGate configuration?

Any suggestion?

 

Thanks

Labels:
311
0 Kudos
7 REPLIES 7
ozkanaltas
Contributor III

Created on ‎04-17-2024 01:55 AM

Hello @arie_arie ,

 

It seems your FortiGate configuration is correct. 

 

In my opinion, R7 and R8 ip's not pingable. Can you try to ping from FortiGate to Router?

 

execute ping 20.20.20.2
execute ping 10.10.10.1

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
294
arie_arie
New Contributor
In response to ozkanaltas

Created on ‎04-17-2024 06:56 AM

Hi,

It's replied. Also I have configured default route on both routers.

FortiGate-VM64-KVM # execute  ping 20.20.20.2
PING 20.20.20.2 (20.20.20.2): 56 data bytes
64 bytes from 20.20.20.2: icmp_seq=0 ttl=255 time=4.6 ms
64 bytes from 20.20.20.2: icmp_seq=1 ttl=255 time=1.8 ms
64 bytes from 20.20.20.2: icmp_seq=2 ttl=255 time=1.1 ms
64 bytes from 20.20.20.2: icmp_seq=3 ttl=255 time=1.8 ms
64 bytes from 20.20.20.2: icmp_seq=4 ttl=255 time=1.9 ms

--- 20.20.20.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.1/2.2/4.6 ms

FortiGate-VM64-KVM # execute  ping 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes
64 bytes from 10.10.10.2: icmp_seq=0 ttl=255 time=5.9 ms
64 bytes from 10.10.10.2: icmp_seq=1 ttl=255 time=1.4 ms
64 bytes from 10.10.10.2: icmp_seq=2 ttl=255 time=1.6 ms
64 bytes from 10.10.10.2: icmp_seq=3 ttl=255 time=1.6 ms
64 bytes from 10.10.10.2: icmp_seq=4 ttl=255 time=1.4 ms

--- 10.10.10.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.4/2.3/5.9 ms

 

R7#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 20.20.20.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 20.20.20.1
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.20.20.0/28 is directly connected, Ethernet0/1
L        20.20.20.2/32 is directly connected, Ethernet0/1

R8#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.10.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/28 is directly connected, Ethernet0/0
L        10.10.10.2/32 is directly connected, Ethernet0/0

 

Thanks

 

 

228
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-17-2024 03:20 AM

Hi Arie

Indeed it is strange.

In my lab (lower FOS release) same scenario as yours gives this log:

id=20085 trace_id=10 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-10.20.0.5 via port2"
id=20085 trace_id=10 func=iprope_fwd_check line=749 msg="in-[port1], out-[port2], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=20085 trace_id=10 func=__iprope_tree_check line=556 msg="gnum-100004, use addr/intf hash, len=9"
id=20085 trace_id=10 func=__iprope_check_one_policy line=1933 msg="checked gnum-4e22 policy-4, ret-no-match, act-accept"
...
id=20085 trace_id=10 func=__iprope_check_one_policy line=1933 msg="checked gnum-4e22 policy-7, ret-matched, act-accept"
id=20085 trace_id=10 func=__iprope_check_one_policy line=2151 msg="policy-7 is matched, act-accept"
...

It seems your FG stops at the first line ("find a route") and recreates a new session every ping packet.

Another detail is I'm not sure if the gw-0.0.0.0 is normal in your log.

id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port1"

Do you have any configured VIP?

AEK
AEK
258
arie_arie
New Contributor
In response to AEK

Created on ‎04-17-2024 06:20 AM

Hi,

 

No, I don't configure any VIP.

Btw, in version 7.2 does it need purchased license on FortiGate so that the FGT can forward the traffic? I just random thought.

I haven't tried on lower version yet, will be try later.

 

Thanks

233
0 Kudos
arie_arie
New Contributor
In response to AEK

Created on ‎04-17-2024 07:04 AM Edited on ‎04-17-2024 07:05 AM

Hi, 

I just tried on lower version and the ping is success between routers. Here is the version that success, with same configuration as before.

 

FortiGate-VM64-KVM # get sys status
Version: FortiGate-VM64-KVM v7.2.0,build1157,220331 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2001-01-01 00:00)
Serial-Number: FGVMEVWxxxxxxxxx #Masked by myself
License Status: Valid
Evaluation License Expires: Thu May  2 06:33:58 2024
VM Resources: 1 CPU/1 allowed, 997 MB RAM/2048 MB allowed
Log hard disk: Not available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1157
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Apr 17 06:57:51 2024
Last reboot reason: power cycle

 

 

 

R7#ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

R8#ping 20.20.20.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

 

 

I don't know why the version 7.2.8 can't forward the packet. Maybe because of invalid license?

 

FortiGate-VM64-KVM # get sys status
Version: FortiGate-VM64-KVM v7.2.8,build1639,240313 (GA.M)
Security Level: 1
Firmware Signature: certified
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
FMWP-DB: 0.00000(2001-01-01 00:00)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
Serial-Number: FGVMEVS0DNYBZ1B7
License Status: Invalid
VM Resources: 1 CPU/1 allowed, 984 MB RAM/2048 MB allowed
Log hard disk: Not available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 2
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 1639
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Apr 17 07:00:44 2024
Last reboot reason: power cycle

 

  

223
0 Kudos
ozkanaltas
Contributor III
In response to arie_arie

Created on ‎04-17-2024 07:07 AM

Hello @arie_arie ,

 

It definitely seems to be related to licensing status. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
220
0 Kudos
AEK
SuperUser
SuperUser
In response to arie_arie

Created on ‎04-17-2024 07:16 AM

Probably due to this:

FortiOS 7.2.1 introduces a new permanent trial license, which requires a FortiCare account. This trial license has limited features and capacity. See VM permanent trial license for details.

https://docs.fortinet.com/document/fortigate-private-cloud/7.2.0/kvm-administration-guide/504166

AEK
AEK
218
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.