Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Treuz
New Contributor

Unable to telnet/ping from Fortigate

Hello, i have a Fortigate 90D that is working pretty well. I'm having a problem in configuring a VIP to let an external application access a badge reader in my local LAN via telnet on port 9999, there is an issue (I believe) in the local segment of my network. Telnet (as well as ping) command is working fine from my PC to the badge reader: i can access the device via telnet and interact with the console. The weird thing is that the Fortigate cannot telnet into the badge reader: if I issue "execute telnet x.x.x.x 9999" the connection goes in timeout. FGT can telnet to other machines on the LAN. The problem seems to exist only between the FGT and the badge reader. All the machines (PC, servers) are on the same local subnet: they all go through a single switch that is connected to a Lan port on FGT. Anyone have some clue?

27 REPLIES 27
rwpatterson
Valued Contributor III

Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)

 

Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Treuz

rwpatterson wrote:

Is the network connected to the Fortigate directly? Is the correct routing in place? (is basically what I'm asking)

Yes, the Fortigate is connected to a switch, all the devices (including my pc and badge reader) are connecter on the same switch in a single subnet.

 

rwpatterson wrote:

Also, do you have an IP pool set up that includes that single inside IP address? This will also prevent any Fortigate traffic from proceeding to the end host.

No, i don't have any IP pool configured.

 

I didn't had any problem in the past to let external devices access some resources on my local LAN. 

I still don't explain why my PC can telnet to the device and the Fortigate cannot.

 

rwpatterson
Valued Contributor III

If you trace route from the Fortigate, what do you get?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Treuz

This is the traceroute output:

 

Fortigate # exec traceroute 192.168.168.32 traceroute to 192.168.168.32 (192.168.168.32), 32 hops max, 3 probe packets per hop, 72 byte packets  1  192.168.168.32  3.464 ms  1.340 ms  0.826 ms Fortigate # exec traceroute 192.168.168.210 traceroute to 192.168.168.130 (192.168.168.130), 32 hops max, 3 probe packets per hop, 72 byte packets  1  * * *  2  * * *  3  * * *  4  * * *  5  * * *  6  * * *  7  * * *

 

.32 is my laptop

.210 is the badge reader

.1 is the Fortigate

Toshi_Esumi
Esteemed Contributor III

Is the subnet mask 255.255.255.0 on both sides? You said it was working before. Did you change FW to FGT from something else? Or any other change happened since then? Sounds like the device doesn't see the FGT in the same subnet. Perhaps something got changed in the device config unless something is funky on the switch port.

 

I would sniff packets with a laptop hooked up to a mirror port on the switch to see if the device port is getting packets from FGT and if responding. At least you should be able to narrow down which part is the problem; FGT, Switch, or the device.

rwpatterson
Valued Contributor III

Have you set the PING options in the FGT?

 

Gateway # exec ping-options 
data-size        integer value to specify datagram size in bytes
df-bit           set DF bit in IP header <yes | no>
interval         integer value to specify seconds between two pings
pattern          hex format of pattern, e.g. 00ffaabb
repeat-count     integer value to specify how many times to repeat ping
source           auto | <source interface ip>
timeout          integer value to specify timeout in seconds
tos              IP type-of-service option
ttl              integer value to specify time-to-live
validate-reply   validate reply data <yes | no>
view-settings    view the current settings for ping option
 
Gateway #

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Treuz

toshiesumi wrote:

Is the subnet mask 255.255.255.0 on both sides? You said it was working before. Did you change FW to FGT from something else? Or any other change happened since then? Sounds like the device doesn't see the FGT in the same subnet. Perhaps something got changed in the device config unless something is funky on the switch port.

well, i honestly didn't said that :) I said that telnet is working from Fortigate to my PC, but it doesn't work from Fortigate to the device. The subnet mask is the same on every device in the network.

 

toshiesumi wrote:

I would sniff packets with a laptop hooked up to a mirror port on the switch to see if the device port is getting packets from FGT and if responding. At least you should be able to narrow down which part is the problem; FGT, Switch, or the device.

I can try, but the thing that I still don't explain is why Fortigate is able to do telnet to several machines except this damn device!

rwpatterson wrote:

Have you set the PING options in the FGT?

Gateway # exec ping-options 
data-size        integer value to specify datagram size in bytes
df-bit           set DF bit in IP header <yes | no>
interval         integer value to specify seconds between two pings
pattern          hex format of pattern, e.g. 00ffaabb
repeat-count     integer value to specify how many times to repeat ping
source           auto | <source interface ip>
timeout          integer value to specify timeout in seconds
tos              IP type-of-service option
ttl              integer value to specify time-to-live
validate-reply   validate reply data <yes | no>
view-settings    view the current settings for ping option
 Gateway #

Nope, I didn't configure those settings

 

The only thing that makes sense to me is that the switch' port where device is attached is broken or something.

 

EDIT: i tried to change the switch' port where device is attached but I have the same exact results: nor ping/telnet are working from Fortigate.

simonw
New Contributor

Why do you need to telnet to this device from the Fortigate?

Treuz
New Contributor

simonw wrote:

Why do you need to telnet to this device from the Fortigate?

Telnet/9999 it's the way that this device use to communicate to its server. I need to expose the 9999 port on our WAN  to let the server communicate with the client. Since the telnet from internet isn't working (i'm pretty sure that the configuration is correct), i've ended up in trying telnet straight from the Fortigate.

Labels
Top Kudoed Authors