Hot!Unable to telnet/ping from Fortigate

Page: 12 > Showing page 1 of 2
Author
Treuz
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/06/05 13:49:45
  • Status: offline
2018/06/20 06:54:19 (permalink)
0

Unable to telnet/ping from Fortigate

Hello,

i have a Fortigate 90D that is working pretty well.
I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network.
Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader.
All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT.

Anyone have some clue?
#1

27 Replies Related Threads

    rwpatterson
    Expert Member
    • Total Posts : 8299
    • Scores: 181
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Unable to telnet/ping from Fortigate 2018/06/20 07:07:55 (permalink)
    0
    Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)
     
    Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.
    post edited by rwpatterson - 2018/06/20 07:09:45

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #2
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 07:14:41 (permalink)
    0
    rwpatterson
    Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)

    Yes, the Fortigate is connected to a switch, all the devices (including my pc and badge reader) are connecter on the same switch in a single subnet.
     
    rwpatterson
    Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.

    No, i don't have any IP pool configured.
     
    I didn't had any problem in the past to let external devices access some resources on my local LAN. 
    I still don't explain why my PC can telnet to the device and the Fortigate cannot.


     
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8299
    • Scores: 181
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Unable to telnet/ping from Fortigate 2018/06/20 07:19:29 (permalink)
    0
    If you trace route from the Fortigate, what do you get?

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #4
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 07:40:42 (permalink)
    0
    This is the traceroute output:
     
    Fortigate # exec traceroute 192.168.168.32
    traceroute to 192.168.168.32 (192.168.168.32), 32 hops max, 3 probe packets per hop, 72 byte packets
     1  192.168.168.32  3.464 ms  1.340 ms  0.826 ms

    Fortigate # exec traceroute 192.168.168.210
    traceroute to 192.168.168.130 (192.168.168.130), 32 hops max, 3 probe packets per hop, 72 byte packets
     1  * * *
     2  * * *
     3  * * *
     4  * * *
     5  * * *
     6  * * *
     7  * * *
     
    .32 is my laptop
    .210 is the badge reader
    .1 is the Fortigate
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1221
    • Scores: 82
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 08:42:29 (permalink)
    0
    Is the subnet mask 255.255.255.0 on both sides? You said it was working before. Did you change FW to FGT from something else? Or any other change happened since then? Sounds like the device doesn't see the FGT in the same subnet. Perhaps something got changed in the device config unless something is funky on the switch port.
     
    I would sniff packets with a laptop hooked up to a mirror port on the switch to see if the device port is getting packets from FGT and if responding. At least you should be able to narrow down which part is the problem; FGT, Switch, or the device.
    #6
    rwpatterson
    Expert Member
    • Total Posts : 8299
    • Scores: 181
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Unable to telnet/ping from Fortigate 2018/06/20 08:48:07 (permalink)
    0
    Have you set the PING options in the FGT?
     
    Gateway # exec ping-options 
    data-size        integer value to specify datagram size in bytes
    df-bit           set DF bit in IP header <yes | no>
    interval         integer value to specify seconds between two pings
    pattern          hex format of pattern, e.g. 00ffaabb
    repeat-count     integer value to specify how many times to repeat ping
    source           auto | <source interface ip>
    timeout          integer value to specify timeout in seconds
    tos              IP type-of-service option
    ttl              integer value to specify time-to-live
    validate-reply   validate reply data <yes | no>
    view-settings    view the current settings for ping option
     
    Gateway #

    post edited by rwpatterson - 2018/06/20 08:49:28

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #7
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 08:59:59 (permalink)
    0
    toshiesumi
    Is the subnet mask 255.255.255.0 on both sides? You said it was working before. Did you change FW to FGT from something else? Or any other change happened since then? Sounds like the device doesn't see the FGT in the same subnet. Perhaps something got changed in the device config unless something is funky on the switch port.

    well, i honestly didn't said that :)
    I said that telnet is working from Fortigate to my PC, but it doesn't work from Fortigate to the device.
    The subnet mask is the same on every device in the network.
     
    toshiesumi
    I would sniff packets with a laptop hooked up to a mirror port on the switch to see if the device port is getting packets from FGT and if responding. At least you should be able to narrow down which part is the problem; FGT, Switch, or the device.

    I can try, but the thing that I still don't explain is why Fortigate is able to do telnet to several machines except this damn device!


    rwpatterson
    Have you set the PING options in the FGT?
    Gateway # exec ping-options 
    data-size        integer value to specify datagram size in bytes
    df-bit           set DF bit in IP header <yes | no>
    interval         integer value to specify seconds between two pings
    pattern          hex format of pattern, e.g. 00ffaabb
    repeat-count     integer value to specify how many times to repeat ping
    source           auto | <source interface ip>
    timeout          integer value to specify timeout in seconds
    tos              IP type-of-service option
    ttl              integer value to specify time-to-live
    validate-reply   validate reply data <yes | no>
    view-settings    view the current settings for ping option
     Gateway #


    Nope, I didn't configure those settings
     
    The only thing that makes sense to me is that the switch' port where device is attached is broken or something.
     
    EDIT: i tried to change the switch' port where device is attached but I have the same exact results: nor ping/telnet are working from Fortigate.
    post edited by Treuz - 2018/06/20 09:02:53
    #8
    simonw
    New Member
    • Total Posts : 7
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/17 12:44:28
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 11:34:51 (permalink)
    0
    Why do you need to telnet to this device from the Fortigate?
    #9
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 13:04:43 (permalink)
    0
    maybe i've found something...
    In the local traffic log it appears that every telnet that i've issued from the Fortigate to the device have the wan IP as source address.
    I tried telnet from FGT to other devices in the LAN and all of them have the FGT local address as source. 
    What this could indicate?
    #10
    emnoc
    Expert Member
    • Total Posts : 5066
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 13:15:33 (permalink)
    0
    The outgoing interface is going to be selected in the telent not the vip not the address use on the lan if  the traffic is not  eggressing that interface. Bob is on the right track with you need to validate the packet reaxch using theping options and setting the  source. Again when would the fortigate telnet to the remote device?
     
    btw, I don't think you can select the source_addr on telnet/ssh originating from the fgt

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #11
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 13:32:55 (permalink)
    0
    simonw
    Why do you need to telnet to this device from the Fortigate?

    Telnet/9999 it's the way that this device use to communicate to its server. I need to expose the 9999 port on our WAN  to let the server communicate with the client. Since the telnet from internet isn't working (i'm pretty sure that the configuration is correct), i've ended up in trying telnet straight from the Fortigate.
    #12
    emnoc
    Expert Member
    • Total Posts : 5066
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 15:39:13 (permalink)
    0
    build  ipppol of the vip public address and call that in a policy with  telnet
     
     
    config firewall policy 
       edit 0 
          set srcint  <xxxx>
          set dstint  <yyyy>
          set action accept 
          set  srcaddr <insert inside  host obj>
          set dstaddr <insetr dst host obj>
          set nat enable 
          set natpool enable /*  check the command */
          set poolname <insert the earlier firewall ippool name >
          set schedule always
          set service  telnet ping
          
    end
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #13
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 17:52:36 (permalink)
    0
    I tried but it still doesn't work... this is my configuration:
     
    config firewall policy
    edit 23
    set srcintf "wan1"
    set dstintf "internal"
    set srcaddr "all"
    set dstaddr "Badge Reader VIP"
    set action accept
    set schedule "always"
    set service "PING" "tcp_9999" "TELNET"
    set logtraffic all
    set nat enable
    set fixedport enable
    set ippool enable
    set poolname "VIP public"
    next
    end
    #14
    rwpatterson
    Expert Member
    • Total Posts : 8299
    • Scores: 181
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Unable to telnet/ping from Fortigate 2018/06/20 19:22:50 (permalink)
    0
    Chances are it is simply a misconstructed custom service. Source port range is 1024(or 0)-65535 and the destination port range would be 9999-9999. I'll bet you have 9999 in the source as well. That would definitely make the WAN access fail. I can't say anything toward the Fortigate's access to the device. Also in the policy you posted above, disable NAT and remove the IPPool settings (unset them). IP Pools are source NAT settings. You don't wish to change the incoming IP addresses to that of your Fortigate, do you? NAT should only need to be enabled on outward (WAN) facing policies to mask private IP addresses from reaching the Internet. ISPs won't let them out anyway, but that's another story...
     
    You could probably toss the 'fixedport enable' as well.
    post edited by rwpatterson - 2018/06/20 19:29:00

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #15
    emnoc
    Expert Member
    • Total Posts : 5066
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/20 20:59:35 (permalink)
    0
    That policy look very bad, 1st are you trying to ACCESS the VIP from wan1 or is the mapped address behind the vip trying to  access something  over the internet and port 9999?
     
     
    Your not clear in what your doing but you need to clarify is this internet <outward> or <inward> from the  internet to the mapped inside host?
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #16
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/21 01:57:23 (permalink)
    0
    Ok perhaps I've misunderstood your suggestion and the policies were messed up.
     
    This is my first version of the VIP/Policy, before opening this thread:
     
    config firewall vip
        edit "Badge Reader VIP"
            set extip x.x.x.x
            set extintf "any"
            set portforward enable
            set mappedip "192.168.168.210"
            set extport 9999
            set mappedport 9999
        next
    end

    config firewall policy
        edit 23
            set name "Telnet 9999"
            set srcintf "wan1"
            set dstintf "internal"
            set srcaddr "all"
            set dstaddr "Badge Reader VIP"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end
     
    I have configured several services on the Fortigate to be accessible from the internet and all of them have an almost identical configuration.
    I'm having problems just with this badge reader. Maybe it's this custom device that is, in someway, corrupted?
    #17
    rwpatterson
    Expert Member
    • Total Posts : 8299
    • Scores: 181
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Unable to telnet/ping from Fortigate 2018/06/21 14:59:58 (permalink)
    0
    I have never set up a Virtual IP with the source interface of 'any'. I feel it's poor programming, especially if you know that all of your connections are coming from a single interface. Did you try setting that to 'wan1' instead?
    post edited by rwpatterson - 2018/06/21 15:19:11

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.19-b0694
    FWF60B
    FWF80CM (4)
    FWF81CM (2)
     
    #18
    Treuz
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/06/05 13:49:45
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/21 15:35:02 (permalink)
    0
    You're right, I was supposed to set wan1 as source interface, I just tried but unfortunately nothing changed, i still cannot telnet to the device from public ip nor from the firewall.
    Tomorrow i'll try with connecting the other end of the cable straight into one of the FGT port and let's see if this solves.
    #19
    emnoc
    Expert Member
    • Total Posts : 5066
    • Scores: 307
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Unable to telnet/ping from Fortigate 2018/06/21 15:51:21 (permalink)
    0
    FWIW
     
    Any in the vip is okay, now is the  mapped ip address correct?  Is the inside interface correct?
     
    Did you run diag debug flow cmds to ensure it 1st hitting your  outside vip and being DNAT'd ?
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #20
    Page: 12 > Showing page 1 of 2
    Jump to:
    © 2018 APG vNext Commercial Version 5.5