Helpful ReplyHot!Cannot Add Subnet to Address Group

Author
ephemeric
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/05 06:26:29
  • Status: offline
2018/10/10 10:55:47 (permalink)
0

Cannot Add Subnet to Address Group

Hi,
I have configured a partially redundant IPsec VPN with two local links going to a single link, static IP server.
The two links are seen as dial-up on the remote FG.
I used the wizard to do all configs.
SDWAN is used to team the two WAN links.
I added via the CLI an interface monitor for the primary VPN tunnel so failover can happen.
 
Everything works as expected except for... on the dial-up side the wizard creates a remote address group for VPN subnets.
Try as I might, I cannot add another subnet as an address object into said group. The newly created address object is not shown in available addresses.
On the remote end I can add a subnet into the local address group for the VPN. Why does it work this side? Because it's the server and not dial-up or possibly the interface monitor has got something to do with it?
 
The only way for this to work on the dial-up side was to delete the config and use the wizard again and add all required subnets at config time so the group is created accordingly.
This doesn't help as I need to add and remove subnets as required.
The workaround in the meantime was to create another phase 2 SA with the required subnets which I don't want to do each time.
I'm stumped, lost an entire day trying to work this out.
Please can someone help me out of this mess?
I'm not sure what configs and how much to post will be happy to do so when instructed.
Thank you.
#1
hampy
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/01/27 14:10:18
  • Status: offline
Re: Cannot Add Subnet to Address Group 2019/01/27 15:05:25 (permalink)
0
Same issue here.
#2
DangerZone
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/10 02:05:10
  • Status: offline
Re: Cannot Add Subnet to Address Group 2019/02/10 02:08:04 (permalink) ☄ Helpfulby smcguire 2019/04/24 10:42:10
0
Man - this drove me insane too but I found a solution.
 
Under Policies & Objects -> Addresses
Clone one of the addresses created by the Wizard.
Rename and change the IPv4 address.
The new address will now be available within the group -> add address menu.
 
One thing I noticed that's different about the auto generated addresses is that "static route configuration" is enabled.
 
Enjoy :)
#3
smcguire
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2016/12/13 09:26:08
  • Location: Quincy, MA USA
  • Status: offline
Re: Cannot Add Subnet to Address Group 2019/04/24 10:42:27 (permalink)
0
Thanks!  Saved me a lot of time with this answer.
 
-Stephen
#4
makco10
Silver Member
  • Total Posts : 91
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/01/20 15:21:33
  • Location: Honduras
  • Status: offline
Re: Cannot Add Subnet to Address Group 2019/06/25 07:17:47 (permalink)
0
Hello,
 
Also you can enable via gui static route configuration.
 
Regards.

Defend Your Enterprise Network With Fortigate Next Generation Firewall

#5
rc179
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/15 07:59:58
  • Status: offline
Re: Cannot Add Subnet to Address Group 2019/08/15 08:19:23 (permalink)
0
If an address object has an interface specified you won't be able to use it anywhere that the interface is different, or you have other objects in the group with a different interface, or no interface, defined. It's easier to just not define an interface on the address objects. I haven't found anywhere that this has a functional effect, so all it's doing is making the setup more difficult to do.
#6
Jump to:
© 2019 APG vNext Commercial Version 5.5