Hot!New subnet addition problem

Author
serakar999
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/04/20 06:46:57
  • Status: offline
2017/04/20 07:50:11 (permalink) 5.4
0

New subnet addition problem

Hello,
 
Here is my situation:
 
1. Firewall FG-200D with three active interfaces, local network, internet and remote locations.
2. Remote locations are on a VPN managed by our provider.
3. Network interface that this VPN is connected has PING enabled.
 
We are adding one new location, so I have set up the new subnet.  That means static route to the specific interface, and adding the new subnet to the groups that the other remote locations belong to.  Unfortunatelly, access from local network to new remote subnet is ok, but reverse access from the new subnet to the local network is not working at all.  We are not even able to ping the ip address of the firewall network card.  Also, nothing from that subnet is logged on the firewall.  I have tried everything, I even took a laptop and gave it the ip address that the firewall interface has, and connected it directly to the router, and that laptop can be pinged normally from the remote network.
 
I hope I have explaned my situation enough.  What could be the problem?
 
Thank you
#1

9 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 4094
    • Scores: 221
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: New subnet addition problem 2017/04/20 08:37:52 (permalink)
    0
    The cli diag debug flow is your friend . Search here  for tips on hoot execute. Based on if we are understanding you, traffic is working one-way but traffic originated from the new subnet inbound fails?
     
    Is that a correct  assumption?
     
    On the new remote subnet can it ping the firewall address assuming you have ping enable and no or lack trusthost allowance
     
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #2
    serakar999
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/04/20 06:46:57
    • Status: offline
    Re: New subnet addition problem 2017/04/20 08:56:31 (permalink)
    0
    Thank you for the quick answer.  No Trusted hosts are configures, Ping is enabled on that interface.  I have tried diag debug flow, and also:
     
    diag sniffer packet any ‘icmp and host x.x.x.x’
     
    I seems like the ping does not reach the firewall.  But how can that be possible when, using a laptop with the same ip as the firewall interface, the laptop responds to ping requests?  i really cannot think of anything else to check...
    #3
    Toshi Esumi
    Gold Member
    • Total Posts : 358
    • Scores: 15
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: New subnet addition problem 2017/04/20 08:56:56 (permalink)
    0
    Before anything else, the first thing I would do is just sniffing (diag debug sniffer) the interface connected to your provider who does the VPN to see if packets initiated by the remote end is actally arriving at your FG. This would isolate the issue if it's on your FG side or the provider/the remote end. My guess is the latter.
    #4
    Toshi Esumi
    Gold Member
    • Total Posts : 358
    • Scores: 15
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: New subnet addition problem 2017/04/20 09:08:14 (permalink)
    0
    I meant to type (diag sniffer packet). sorry.
    #5
    emnoc
    Expert Member
    • Total Posts : 4094
    • Scores: 221
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: New subnet addition problem 2017/04/20 12:47:49 (permalink)
    0
    Your following the right path, so when you  add the laptop in the mix, was the FGT interface configured exactly the same? Do you have a topology diagram of what you have?
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #6
    serakar999
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/04/20 06:46:57
    • Status: offline
    Re: New subnet addition problem 2017/04/20 14:34:38 (permalink)
    0
    So, let me try to give some more details:
     
    1. Firewall interface ip is 192.168.3.2/24 (ping enabled) and Router interface ip is 192.168.3.1/24, connected directly.
    2. Behind the router there are subnets 10.20.30.0/24 to 10.20.39.0/24, there is a static route for each one on the firewall, one object for each, and one group which contains all the objects.  That group is used in 2-3 firewall rules.
    3. All subnets can ping the firewall interface ip (192.168.3.2), and also the router can ping it.
    4. New remote location is 10.20.40.0/24, added static route, created object and added it to the group.
    5. Result: Access from central lan to the new location is ok, both pings, rdp, all the rules seem to work.  Access from remote location router or remote location pc is impossible.  Remote pc pings router interface (192.168.3.1) but nothing further than that.  Traceroutes show expected results, they end just before the firewall interface.
    6. First test:  Put a switch between firewall and router, connect a laptop, give it 192.168.3.5/24 ip and gateway the router.  Pc from remote location can ping it, it can ping the remote pc.  Laptop can also ping firewall ip and firewall can ping it.
    7. Second test:  Disconnect firewall, connect router directly to the laptop and give the laptop 192.168.3.2/24 ip and gateway the router.  The laptop can ping the remote pc, the remote pc can ping the laptop, total connectivity.
    8. During the tests, I have checked logs and run sniffer/debug commands, all show pings from other locations, pings from the new remote location show up nowhere.  Also, I have backed up the configuration and checked the file to see if the exising subnets are mentioned anywhere else than static route, object and group.  Nothing.
    9. Partner that configures vpn to remote locations has checked vpn configuration, with no luck.
     
    My conclusion from all the above is that the vpn configuration is correct.  Am I right or am I missing something?  If that is true, what can I check on the firewall?
     
    Two things that might or might not be important.  First, the firewall was administered up to last year by somebody that is no longer accesible.  This is the first new location that we had to add.  And second, when I say router, it is not really a router, but an OpenVPN server/aggregator.
     
    I hope I have made everything clear, if not please feel free to ask.  I really appreciate your help.
     
     
    post edited by serakar999 - 2017/04/20 14:35:39
    #7
    emnoc
    Expert Member
    • Total Posts : 4094
    • Scores: 221
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: New subnet addition problem 2017/04/20 20:37:42 (permalink)
    0
    So back up, when you ran diag commands you stated and I quote
     
     
    I seems like the ping does not reach the firewall

     
    If the remotes are not getting to the firewall that needs to be fix. Dumb question but was a trace route done both ways ( from  central LAN to new Subnet  &   New Subnet to the  Fgt interface)
     
    Are you sure no PBR or  packet-cal are in path between fortigate -----router-----new-subnet
     
    As a  alternative ( I'm suspecting the router btw ) , is it possible to add a loopback address to this openvpn gw and see if you can source pings from that  device directly
     
     
    e.g ( i'm a unix dude btw    ;) )
     
     
    macbook:~ root# ifconfig lo0 10.20.40.11 netmask 255.255.255.255 alias
    macbook:~ root# ifconfig lo0
    lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    options=3<RXCSUM,TXCSUM>
    inet6 ::1 prefixlen 128 
    inet 127.0.0.1 netmask 0xff000000 
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
    inet 10.20.40.11 netmask 0xffffffff 
    nd6 options=1<PERFORMNUD>
    macbook:~ root# 
     
     
    ping -S 10.20.40.11  192.168.3.2 
     
    The src would be some  10.20.40.xxxx address you applied on a virtual interface like a loopback  on the  openvpn server
     
    Just make sure to unset it afterwards.
     
    ;)
     
    Ken
     

    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #8
    emnoc
    Expert Member
    • Total Posts : 4094
    • Scores: 221
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Status: offline
    Re: New subnet addition problem 2017/04/20 20:46:37 (permalink)
    0
    FWIW I was bored so I place a diagram of how it would look and using .11 as the guinea-pig
     
    Also if this a openvpn server unix, you could dump on the 192.168.3.1 interface for the ping  from the  firewall.
     
    e.g
     
    tcpdump -i em0 -nnnn -vvvv  host 10.20.40.11 and icmp
     
    Lastly,  ensure that the new subnet has reach to the fortigate src-address that comes  in . So if SNAT is or is not -involved for the central LAN ensure you have two-way  routing 
     
     
     

    Attached Image(s)


    PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
    #9
    serakar999
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/04/20 06:46:57
    • Status: offline
    Re: New subnet addition problem 2017/05/08 02:58:23 (permalink)
    0
    First of all, sorry for the delay in answering.
     
    Thank you once again for your help, you were correct, the problem was on OpenVPN's side.  The traffic arrived NAT'ed on the firewall interface because of a temporary setting that the provider had made.  Fortunately, after the fourth time that they said they checked everything, they really checked!
     
    Have a nice week.
    #10
    Jump to:
    © 2017 APG vNext Commercial Version 5.5