VLANs cant go to the internet
I have a Cisco Catalyst 4500 core switch, and various cisco access switches. There are a number of VLANs configured on the 4500 and each vlan has its own vlan interface with ip address configured which it is the default gateway of the PCs in the subnet. Ip-routing is enabled on the 4500 which allows traffic on the various VLANs to be routed back and forth. The internet gateway on the switch is an IP on the Fortigate (10.1.0.90).
I cant ping 10.1.0.90 on any of the VLANs except the VLAN the gateway was a member of. Once I dumped a PC onto the VLAN 10.1.x.x, I was able to ping that address with no problem. It looks like a 802.1Q issues.
I ran some debugging commands on the Fortigate and the 4500. I setup a running ping from my pc on another VLAN to ping the address on the 10.1.x.x VLAN. The packet is arriving but as you can see, has issues.
From the Fortigate:
id=13 trace_id=286 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=1, 10.1.20.3:1->10.1.0.90:8) from VLAN 20."
id=13 trace_id=286 func=init_ip_session_common line=4428 msg="allocate a new session-0034069f"
id=13 trace_id=286 func=ip_route_input_slow line=1279 msg="reverse path check fail, drop"
id=13 trace_id=286 func=ip_session_handle_no_dst line=4490 msg="trace"
# get router info routing-table all
C 10.1.0.0/20 is directly connected, port1
C 10.1.20.0/24 is directly connected, VLAN 20
I have read in other website that running the following command will correct the issue
config system settings
set asymroute enable
I ran the command in order to try the solution an it worked. The VLAN 20 can go to the internet nevertheless "If you enable asymmetric routing, antivirus and intrusion prevention systems will not be effective. Your FortiGate unit will be unaware of connections and treat each packet individually. It will become a stateless firewall".(FortiOs Handbook)
The asymmetric routing is when the FortiGate unit recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack, I am creating VLAN subinterfaces in the same port where the core routes all traffic to internet
SW-CORE#sh ip route
Gateway of last resort is 10.1.0.90 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 32 subnets, 3 masks
C 10.1.0.0/20 is directly connected, Vlan1
C 10.1.30.0/24 is directly connected, Vlan30
C 10.1.20.0/24 is directly connected, Vlan20
S* 0.0.0.0/0 [1/0] via 10.1.0.90
Any advice since I do not want to enable asymmetric routing.