Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Treuz
New Contributor

Created on ‎06-20-2018 06:54 AM

Unable to telnet/ping from Fortigate

Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?

38382
0 Kudos
27 REPLIES 27
emnoc
Esteemed Contributor III
In response to Treuz

Created on ‎06-25-2018 08:48 AM

 

Again  use the cmd cli   "get router infor routing all" inspect the route table. Sound like the fortigate does NOT know how to reach the host.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2771
0 Kudos
Treuz
New Contributor
In response to emnoc

Created on ‎06-25-2018 09:09 AM

The host is directly connected through one of the FGT' switchport, it sound very strange to me that he's unable to reach it. By the way, this is my routing table:

Fortigate # get router info routing all
S* 0.0.0.0/0 [10/0] via x.x.x.x, wan1
C x.x.x.x/29 is directly connected, wan1
C 192.168.168.0/24 is directly connected, internal

 

2753
0 Kudos
Dave_Hall
Honored Contributor
In response to Treuz

Created on ‎06-25-2018 10:08 AM

Considering the Fgt is on the same 192.168.168.x subnet as the telnet device, there shouldn't be any reason for it to even use a vip/wf "WAN to Internal" policy to connect to it.  Maybe you need to check/or set the source interface in PING options. 

 

Edit: Can the fgt even ping any other device on the 192.168.168.x subnet?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
2771
0 Kudos
emnoc
Esteemed Contributor III
In response to Dave_Hall

Created on ‎06-25-2018 12:16 PM

I would one more step

 

1: validate that the diag ip arp list shows the   apr entry for .210

 

2:  rule out any local.host.firewall on the target

 

3:  check the routing on that host ( most likely this is not  an area of concern )

 

Do this 

 

open 2  ssh session to FGT

      In window1   cli diag sniffer packet internal "dst host 192.168.168.210 and port 9999"

      In window2  execute telnet  192.168.168.210 9999

 

Do  you see a SYN and a SYN/ACK? If yes on the former and no on the latter , you have a issues with the host.

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2771
0 Kudos
Treuz
New Contributor
In response to Treuz

Created on ‎06-20-2018 01:04 PM

maybe i've found something... In the local traffic log it appears that every telnet that i've issued from the Fortigate to the device have the wan IP as source address. I tried telnet from FGT to other devices in the LAN and all of them have the FGT local address as source.  What this could indicate?

2771
0 Kudos
emnoc
Esteemed Contributor III
In response to Treuz

Created on ‎06-20-2018 01:15 PM

The outgoing interface is going to be selected in the telent not the vip not the address use on the lan if  the traffic is not  eggressing that interface. Bob is on the right track with you need to validate the packet reaxch using theping options and setting the  source. Again when would the fortigate telnet to the remote device?

 

btw, I don't think you can select the source_addr on telnet/ssh originating from the fgt

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2771
0 Kudos
Hussien_Idris
New Contributor

Created on ‎06-23-2018 03:13 AM

Hello,

 

well, going thru your case, i can see you are unable to telnet to that particular machine.. to end this confusion, kindly do the following:

 

- execute the following command to test reliability from FGT to your device:

    # execute ping-options source "Your FGT LAN IP" [though source option wont be important since your device in same network]

    # execute ping "Your device"

if there is reply. do the next step..

 

- execute the following debug flow commands on FGT:

    #diagnose debug reset

    #diagnose debug flow show console enable     #diagnose debug flow show function-name enable     #diagnose debug flow show iprope enable     #diagnose debug flow filter dport 9999     #diagnose debug flow trace start 20     #diagnose debug enable

 

- once above commands entered, try to telnet your device using 9999 from outside and share the outputs..

 

 

don't forget to disable and reset debug using below:     #diagnose debug disable     #diagnose debug reset

NSE4, NSE5 & NSE7

NSE4, NSE5 & NSE7
2771
0 Kudos
Treuz
New Contributor
In response to Hussien_Idris

Created on ‎06-25-2018 01:46 AM

I changed cabling connection: now the device is attached straight to one of the FGT' switchport. I've also changhed ping-options as you suggested but nothing changed: I can telnet to the device from one of the LAN' client but telnet still doesnìt work from FGT.

 

This is the debug flow output:

 

Fortigate # diag debug reset
Fortigate # diag debug flow show function-name en
show function name
Fortigate # diag debug flow show iprope en
show trace messages about iprope
Fortigate # diag debug flow filter dport 9999
Fortigate # diag debug flow trace start 1000
Fortigate # diag debug en
Fortigate # 
id=20085 trace_id=46 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag , seq 2465178324, ack 0, win 64240"
id=20085 trace_id=46 func=init_ip_session_common line=5390 msg="allocate a new session-00d5abef"
id=20085 trace_id=46 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=46 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=46 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=46 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=46 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=46 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=46 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=46 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=46 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=46 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=46 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=46 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=46 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=46 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=46 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=46 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=46 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=46 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=46 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=46 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=46 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=47 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag , seq 2465178324, ack 0, win 64240"
id=20085 trace_id=47 func=init_ip_session_common line=5390 msg="allocate a new session-00d5ac17"
id=20085 trace_id=47 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=47 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=47 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=47 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=47 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=47 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=47 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=47 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=47 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=47 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=47 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=47 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=47 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=47 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=47 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=47 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=47 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=47 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=47 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=47 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=47 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
id=20085 trace_id=48 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=6, 192.168.168.32:5163->x.x.x.x:9999) from internal. flag , seq 2465178324, ack 0, win 64240"
id=20085 trace_id=48 func=init_ip_session_common line=5390 msg="allocate a new session-00d5ac64"
id=20085 trace_id=48 func=iprope_dnat_check line=4775 msg="in-[internal], out-[]"
id=20085 trace_id=48 func=iprope_dnat_tree_check line=835 msg="len=1"
id=20085 trace_id=48 func=__iprope_check_one_dnat_policy line=4650 msg="checking gnum-100000 policy-12"
id=20085 trace_id=48 func=get_new_addr line=2936 msg="find DNAT: IP-192.168.168.210, port-9999"
id=20085 trace_id=48 func=__iprope_check_one_dnat_policy line=4732 msg="matched policy-12, act=accept, vip=12, flag=100, sflag=800000"
id=20085 trace_id=48 func=iprope_dnat_check line=4788 msg="result: skb_flags-00800000, vid-12, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=48 func=iprope_fwd_check line=760 msg="in-[internal], out-[wan1], skb_flags-00800000, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=48 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=3"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-10, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=48 func=__iprope_check line=1987 msg="gnum-4e23, check-f8af06c8"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-4294967295, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-9, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-4e23 policy-7, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-7 is matched, act-accept"
id=20085 trace_id=48 func=__iprope_check line=2006 msg="gnum-4e23 check result: ret-matched, act-accept, flag-00202000, flag2-00000000"
id=20085 trace_id=48 func=get_new_addr line=2936 msg="find SNAT: IP-x.x.x.x(from IPPOOL), port-5163"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-8 is matched, act-accept"
id=20085 trace_id=48 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-8"
id=20085 trace_id=48 func=fw_pre_route_handler line=182 msg="VIP-192.168.168.210:9999, outdev-unkown"
id=20085 trace_id=48 func=__ip_session_run_tuple line=3142 msg="DNAT x.x.x.x:9999->192.168.168.210:9999"
id=20085 trace_id=48 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-192.168.168.210 via ssl.root"
id=20085 trace_id=48 func=iprope_fwd_check line=760 msg="in-[wan1], out-[ssl.root], skb_flags-008000c0, vid-12, app_id: 0, url_cat_id: 0"
id=20085 trace_id=48 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-19, ret-no-match, act-accept"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1762 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=20085 trace_id=48 func=__iprope_user_identity_check line=1590 msg="ret-matched"
id=20085 trace_id=48 func=__iprope_check_one_policy line=1958 msg="policy-0 is matched, act-drop"
id=20085 trace_id=48 func=iprope_fwd_auth_check line=815 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=20085 trace_id=48 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
 

 

Thanks in advance.

2771
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.