- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- New subnet addition problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New subnet addition problem
Hello,
Here is my situation:
1. Firewall FG-200D with three active interfaces, local network, internet and remote locations.
2. Remote locations are on a VPN managed by our provider.
3. Network interface that this VPN is connected has PING enabled.
We are adding one new location, so I have set up the new subnet. That means static route to the specific interface, and adding the new subnet to the groups that the other remote locations belong to. Unfortunatelly, access from local network to new remote subnet is ok, but reverse access from the new subnet to the local network is not working at all. We are not even able to ping the ip address of the firewall network card. Also, nothing from that subnet is logged on the firewall. I have tried everything, I even took a laptop and gave it the ip address that the firewall interface has, and connected it directly to the router, and that laptop can be pinged normally from the remote network.
I hope I have explaned my situation enough. What could be the problem?
Thank you
Labels:
- Labels:
-
5.4
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The cli diag debug flow is your friend . Search here for tips on hoot execute. Based on if we are understanding you, traffic is working one-way but traffic originated from the new subnet inbound fails?
Is that a correct assumption?
On the new remote subnet can it ping the firewall address assuming you have ping enable and no or lack trusthost allowance
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick answer. No Trusted hosts are configures, Ping is enabled on that interface. I have tried diag debug flow, and also:
diag sniffer packet any ‘icmp and host x.x.x.x’
I seems like the ping does not reach the firewall. But how can that be possible when, using a laptop with the same ip as the firewall interface, the laptop responds to ping requests? i really cannot think of anything else to check...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, sorry for the delay in answering.
Thank you once again for your help, you were correct, the problem was on OpenVPN's side. The traffic arrived NAT'ed on the firewall interface because of a temporary setting that the provider had made. Fortunately, after the fourth time that they said they checked everything, they really checked!
Have a nice week.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before anything else, the first thing I would do is just sniffing (diag debug sniffer) the interface connected to your provider who does the VPN to see if packets initiated by the remote end is actally arriving at your FG. This would isolate the issue if it's on your FG side or the provider/the remote end. My guess is the latter.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to type (diag sniffer packet). sorry.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your following the right path, so when you add the laptop in the mix, was the FGT interface configured exactly the same? Do you have a topology diagram of what you have?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, let me try to give some more details:
1. Firewall interface ip is 192.168.3.2/24 (ping enabled) and Router interface ip is 192.168.3.1/24, connected directly.
2. Behind the router there are subnets 10.20.30.0/24 to 10.20.39.0/24, there is a static route for each one on the firewall, one object for each, and one group which contains all the objects. That group is used in 2-3 firewall rules.
3. All subnets can ping the firewall interface ip (192.168.3.2), and also the router can ping it.
4. New remote location is 10.20.40.0/24, added static route, created object and added it to the group.
5. Result: Access from central lan to the new location is ok, both pings, rdp, all the rules seem to work. Access from remote location router or remote location pc is impossible. Remote pc pings router interface (192.168.3.1) but nothing further than that. Traceroutes show expected results, they end just before the firewall interface.
6. First test: Put a switch between firewall and router, connect a laptop, give it 192.168.3.5/24 ip and gateway the router. Pc from remote location can ping it, it can ping the remote pc. Laptop can also ping firewall ip and firewall can ping it.
7. Second test: Disconnect firewall, connect router directly to the laptop and give the laptop 192.168.3.2/24 ip and gateway the router. The laptop can ping the remote pc, the remote pc can ping the laptop, total connectivity.
8. During the tests, I have checked logs and run sniffer/debug commands, all show pings from other locations, pings from the new remote location show up nowhere. Also, I have backed up the configuration and checked the file to see if the exising subnets are mentioned anywhere else than static route, object and group. Nothing.
9. Partner that configures vpn to remote locations has checked vpn configuration, with no luck.
My conclusion from all the above is that the vpn configuration is correct. Am I right or am I missing something? If that is true, what can I check on the firewall?
Two things that might or might not be important. First, the firewall was administered up to last year by somebody that is no longer accesible. This is the first new location that we had to add. And second, when I say router, it is not really a router, but an OpenVPN server/aggregator.
I hope I have made everything clear, if not please feel free to ask. I really appreciate your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So back up, when you ran diag commands you stated and I quote
I seems like the ping does not reach the firewall
If the remotes are not getting to the firewall that needs to be fix. Dumb question but was a trace route done both ways ( from central LAN to new Subnet & New Subnet to the Fgt interface)
Are you sure no PBR or packet-cal are in path between fortigate -----router-----new-subnet
As a alternative ( I'm suspecting the router btw ) , is it possible to add a loopback address to this openvpn gw and see if you can source pings from that device directly
e.g ( i'm a unix dude btw ;) )
macbook:~ root# ifconfig lo0 10.20.40.11 netmask 255.255.255.255 alias
macbook:~ root# ifconfig lo0
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
options=3<RXCSUM,TXCSUM>
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 10.20.40.11 netmask 0xffffffff
nd6 options=1<PERFORMNUD>
macbook:~ root#
ping -S 10.20.40.11 192.168.3.2
The src would be some 10.20.40.xxxx address you applied on a virtual interface like a loopback on the openvpn server
Just make sure to unset it afterwards.
;)
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW I was bored so I place a diagram of how it would look and using .11 as the guinea-pig
Also if this a openvpn server unix, you could dump on the 192.168.3.1 interface for the ping from the firewall.
e.g
tcpdump -i em0 -nnnn -vvvv host 10.20.40.11 and icmp
Lastly, ensure that the new subnet has reach to the fortigate src-address that comes in . So if SNAT is or is not -involved for the central LAN ensure you have two-way routing
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- FortiMangaer and FGT Hub migration issues... 125 Views
- Trouble Receiving DHCP Packet Over S2S... 282 Views
- Guide Tecnical Tip - How to... 257 Views
- Fortigate with Mikrotik Site to site... 420 Views
- NO Internet Access after Setup the... 566 Views
Labels
-
FortiGate
6,510 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
83 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.