Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sceda
New Contributor II

VLAN configuration

Dear All,

 

few months ago I configured VLAN on my network and it worked corectly. After I have changed router to FTG 80C (5.2.5) the VLAN stopped working. I use HP switch which supports VLAN - I didn't change the configuration on it. I use on FTG advanced routing.

 

Idea is:

LAN - 192.168.1.0/24

VLAN - 192.168.5.0/24 - access to Internet but no access to LAN

 

Fortigate 192.168.1.99 <-> hp switch 192.168.1.106 (VLAN 192.168.5.2) <-> tp-link switch (WAN 192.168.5.3)

 

I added on FTG VLAN interface 192.168.5.1 and policy VLAN -> WAN.

 

When I am connected to tp-link I have no access to Internet - I can ping 192.168.5.2 but I can't ping 192.168.5.1 (VLAN interface on Fortigate). I think that I should add some Static Routes or Policy Routes?

Thank You in advance,

Bart.

 

2 Solutions
sceda
New Contributor II

Sorry for second post but I can only one attachment upload. Please see VLAN information form HP switch.

View solution in original post

JohnAgora

I think the error is

"id=20085 trace_id=1 func=ip_route_input_slow line=1273 msg="reverse path check fail, drop""

That means that you are missing a route for 192.168.5.0/24 (I guess) behind WiFiguests.

Once you add that static route, try again.

If you still can't access, try to run another debug and attach the file.

 

By the way, I suggest you give another check to your firewall policies and routing.

 

Cheers!

View solution in original post

13 REPLIES 13
emnoc
Esteemed Contributor III

Suggestion: A network topology of your configuration would be very helpful. Does the lan interface works? Is the vlan L3 configured on the FGT or elsewhere?

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
howardsinc

Hey Sceda,

 

Could you run the below debugs in the Fortigates CLI while trying to ping 8.8.8.8?

 

diag debug reset diag debug enable diag debug flow show console enable diag debug flow filter addr 192.168.5.x diag debug flow trace start 200

and when finsihed run: diag debug disable

 

Regards,

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
sceda
New Contributor II

Hi,

 

thank You for answers. Please see attached lan configuration. WAN IP is not real. When I connect to WiFi LUF GUEST1 I can ping 192.168.5.2 but not 192.168.5.1. I can't ping 8.8.8.8 - so I don't think that is DNS problems.

 

Today I will do diag on router.

 

Regards,

Bart.

 

howardsinc

Hey Bart,

No problem. Could you post the Fortigate CLI diag flow output of that ping test?

 

After taking a look at your topology, I have a couple of theories:

 

1. Your HP Switch is not tagging, or tagging wrong VLAN associated with the 192.168.5.x subnet. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate.     Solution: Make port facing WiFi guest router a access port to tag correct VLAN

 

2. Next, Link connected directly to Fortigate from HP switch is not Trunking/Tagging the VLAN associate with 192.168.5.x subnet. Traffic never making it to the Fortigate     Solution: Add allow vlan across trunk link interfacing with Fortigate

 

3. Next, Wifi users on 192.168.50.x are not NATing behind 192.168.5.3 and making it to the Fortigate with source IP of 192.168.50.x in which fortigate does not have a route back to 192.168.5.3, resulting in a Reverse Path Check fail and packets would be dropped at Fortigate.       Solution: add static route 192.168.50.x pointing to 192.168.5.3

 

4. Lastly, Fortigate sub-vlan Interface has incorrect VLAN associated. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate.      Solution: Match Vlan interface with vlan of incoming packets associated with 192.168.5.x / 192.168.50.x

 

Along with the Diag flow output provide 'show ful sys int' output. With those two piece of information the problem should be able to be identified.

Regards,

Daniel

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²

JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
sceda
New Contributor II

Hi Daniel,

howardsinc wrote:
Hey Bart, No problem. Could you post the Fortigate CLI diag flow output of that ping test?

please see attached file.

howardsinc wrote:
After taking a look at your topology, I have a couple of theories: 1. Your HP Switch is not tagging, or tagging wrong VLAN associated with the 192.168.5.x subnet. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: Make port facing WiFi guest router a access port to tag correct VLAN

On HP Switch I have two VLANs - one is default by HP and the second one is created by me (WiFiguest). Port 21 is connected to Fortigate. Ports 20 and 21 are connected to TP-link routers. Now I use only router on port 20.

Ports 20 & 21 are untagged on VLAN WiFiguest because TP-Link doesn't support vlan - is it correctly?

howardsinc wrote:
2. Next, Link connected directly to Fortigate from HP switch is not Trunking/Tagging the VLAN associate with 192.168.5.x subnet. Traffic never making it to the Fortigate Solution: Add allow vlan across trunk link interfacing with Fortigate

3. Next, Wifi users on 192.168.50.x are not NATing behind 192.168.5.3 and making it to the Fortigate with source IP of 192.168.50.x in which fortigate does not have a route back to 192.168.5.3, resulting in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: add static route 192.168.50.x pointing to 192.168.5.3 4. Lastly, Fortigate sub-vlan Interface has incorrect VLAN associated. This would result in a Reverse Path Check fail and packets would be dropped at Fortigate. Solution: Match Vlan interface with vlan of incoming packets associated with 192.168.5.x / 192.168.50.x Along with the Diag flow output provide 'show ful sys int' output. With those two piece of information the problem should be able to be identified. Regards, Daniel

 

Regards,

Bart.

 

sceda
New Contributor II

Sorry for second post but I can only one attachment upload. Please see VLAN information form HP switch.

JohnAgora

I think the error is

"id=20085 trace_id=1 func=ip_route_input_slow line=1273 msg="reverse path check fail, drop""

That means that you are missing a route for 192.168.5.0/24 (I guess) behind WiFiguests.

Once you add that static route, try again.

If you still can't access, try to run another debug and attach the file.

 

By the way, I suggest you give another check to your firewall policies and routing.

 

Cheers!

emnoc
Esteemed Contributor III

agreed, and diag debug flow is your friend ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sceda
New Contributor II

Thank You for help but I didn't find the solution :( I tried a lot of configurations - I added static route, policy route to Fortigate but I don't know what exactly there should be. I have firewall policy WiFiguest->wan2 + NAT.

 

Bart.

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors