- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Stumbled across a bug? New interface on 800D not r...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stumbled across a bug? New interface on 800D not responding to ping, dhcp, policy matching
So today I began setting up a new Guest WiFi vlan, and I want an interface on my Fortigate 800D to be the default gateway. This will allow us to restrict traffic to our internal network but allow it out to the internet. Should be simple?!
I've been racking my brains and cannot get this new interface to work.
So its configured as follows:
config system interface
edit "port9"
set vdom "root"
set ip 10.0.0.254 255.255.255.0
set allowaccess ping
set type physical
set alias "Guest Wifi"
set role lan
set snmp-index 13
next
end
DHCP is configured:
edit 4
set default-gateway 10.0.0.254
set netmask 255.255.255.0
set interface "port9"
config ip-range
edit 1
set start-ip 10.0.0.1
set end-ip 10.0.0.253
next
end
set timezone-option default
set dns-server1 212.23.6.100
next
end
And I've created a policy rule to allow the traffic out to the internet. For testing purposes its source interface port9, destination interface wan2, any.
Port9 physically connects to a Cisco switch configured as:
switchport mode access
switchport access vlan 6
I connect a laptop to another port on the same switch, configured identically. With this config alone I believe I should be able to get a dhcp address in 10.0.0.1-10.0.0.253, ping the fortigate at 10.0.0.254, and browse the internet. I can't do any of those things.
diag sniffer packet 'port9' shows the broadcasts, so I believe they are arriving at the fortigate, but I never see any other than the initial broadcast. Same with a ping, I see ICMP arriving but nothing else.
I've configured a static ip address on the laptop and tried to ping, no dice.
I've got a DMZ network set up similarly to this, and the only difference I can see is under "Local-in Policy" (after enabling in Feature Select), I can see that ICMP and UDP 67 both exist in here against the DMZ network interface, but nothing for my new interface that I've set up. So I am guessing that the fortinet is just dropping the packets. I'll add that these local-in policies have not been added manually via CLI, this is the read only automatically created versions.
I'm running 2x FG800D in a A/P cluster, v5.4.2,build1100 (GA). I've set up new interfaces before and not seen this issue. Any ideas?
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you limited the ip ranges from which admin users can connect?
If 10.0.0.0/24 is not in this range, pings will be blocked.
Does not explain why you won't get a DHCP lease. Have you tried connecting your laptop directly to the Fortigate:Port9?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do use trusted hosts, but I've entered the subnet into the trusted hosts section anyway.
I've just connected laptop directly to port9 and no dhcp lease. Setting a static address I still can't ping.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FWIW; You don't need policys for the DHCP nor PING to work.
Your on a good path but I would enable diag on dhcp-server services for the DHCP issues
diag debug application dhcps -1
I would also run diag debug flow on the ping issues
I'm sure both of these will give insight to the problem(s)
ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK so I've got to the bottom of it, it was indeed a lack of resource to be able to apply the config that I'd made. I ran:
diag sys top
hit m to sort by memory
process wad was consuming 2GB of memory and overall utilization was at 80%.
diag sys kill 11 <pid>
This has now dropped to 33% and almost instantly my device got an address.
Huzzah!
Any ideas why this would have happened?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this may be related to bug ID # 443019 that was fixed in 5.6.4. We're seeing this on FortiOS 5.6.0 on a FG-VM though we haven't noticed any tangible impact yet.
Bug description: "After running for some time, the FG-30E console keep printing memory leak error messages."
I suspect it may not just be related to the 30E... More info about it here: [link]https://forum.fortinet.com/tm.aspx?m=148257[/link]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess pinging the other way around Fortigate to Notebook doesn't work either?
Do the ping packets from the Fortigate go out on the correct interface, do they arrive at the notebook?
Is the 10.0.0.0/24 network visible in the routing table (as a 'connected' route)?
Some time ago I had an issue where this route was not added and I had to reconfigure the interface:
Reset all interface settings of port9 in the CLI (unset ..) and delete the DHCP server and related policies.
Then reconfigure with the GUI.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So diag debug enable, I'm seeing an error that doesn't look too pretty:
[__cmdb_bg_fork:670] fork( ) failed: 12(Cannot allocate memory)
[debug]dump HA master db: '/tmp/hasync/hasync.dhcpd/dhcpddb.sn=FG800D3916800609.o0uFal'
But I'm not seeing any DHCP requests in the debug. That first error, someone else has reported:
https://forum.fortinet.com/tm.aspx?m=148257
Could be this giving me grief?
Related Posts
- Strange issue with Fortigate 200E web... 251 Views
- VIPs on loopback with s2s communication 1320 Views
- SNMP no response: timed out 949 Views
- why outgoing interface is not used... 524 Views
- ipsec problem 1211 Views
Labels
-
FortiGate
6,526 -
FortiClient
1,301 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
241 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
FortiAuthenticator
11 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.