Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
New Contributor II

Routing Problem???

Hello,

 

we just had a strange problem trying to install a FG cluster for a Zywall FW. Everything went OK besides the routing and connection to our MPLS network, we cant ping and we dont have access (tried also with ALL to ALL).

 

I think it is clearly an issue of the MPLS provider since we also tried directly with a laptop behin the MPLS router and the same IP and gateway and we cant access either.

 

Also routing should be fine, in Routing Monitor the FG sends the packet for the correct route and doing a tracert we get like 6 hops and than it stops.

 

We never had this issue with our MPLS provider but this is a installation abroad. Is it possible that they have a policy that just the old Zywall can have access to the MPLS network? With tracert behind the Zywal I get the exactm sma hops but it works with the FG or with my laptop I have same hops but it stops after 15ms and hop 7.

 

I am pretty sure that only our MPLS provider can solve the issue or am I missing something?

 

Thanks and regards,

 

 

6 REPLIES 6
Toshi_Esumi
Esteemed Contributor III

You need to show us your network topology, how the HA FGTs are connected to MPLS router and the Zywall FW. Hopefully you have a simple network diagram to share.

 

Toshi

Toshi_Esumi
Esteemed Contributor III

I misread your first sentence and didn't realize you just replaced Zywall with the FGT. Then the first&the last thing I would do is to call the MPLS provider. We can speculate what might be happening inside of the MPLS network if you provide more detail like what subnets are on the other ends of the MPLS network and your results of traceroutes. But nothing would help fixing the problem until you call them and they take a look at it.

 

Toshi

gfleming
Staff
Staff

I think you answered the question for yourself when you said your laptop has the exact same problem as the FortiGate. Sounds like this is not a FortiGate issue and definitely something to do with your WAN link.

 

You could try cloning the Zywall's MAC address onto the FortiGate and see if it works. Try in non-HA mode though as HA will use a virtual MAC.

 

config system interface
  edit "wan"

    set macaddr XX:XX:XX:XX:XX:XX

 

Another question for you, these hops you are seeing in traceroute are they internal hops or external? How many hops do you see beyond the FortiGate before it stops?

Cheers,
Graham
ede_pfau
Esteemed Contributor III

I remember having a lot of problems with a MPLS provider, and it always turned out to be their routing. I don't think the MAC has anything to do with that, as it's lost after the first hop (which even the FGT is able to get beyond). But authentication is something you should really be looking into.

 

In the end, they fixed their issues, we did nothing, and it worked.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Muhammad_Haiqal

Hi @ede_pfau ,

Looking at your statement, you already did troubleshooting by direct connect to the MPLS itself.
Somehow its now working. This indicate something wrong on the MPLS side.

I would suggest to invite MPLS technical to onsite and do the troubleshooting.

haiqal
RolandBaumgaertner72

Hi,

 

this was indeed a big failure of the MPLS provider. They changed their routers some months ago and didnt change the configuration, for me it is still a wonder why it was working with the Zywall but again, the first router had a bad route to the old router which was not in use anymore. They changed the route and we had access.

 

Thanks!

Labels
Top Kudoed Authors