60D ARP issue? | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB

Mark Thread UnreadFlat Reading Mode ❐

Hot!60D ARP issue?

Author Post Essentials Only Full Version
mzachar New Member Total Posts : 4 Scores: 0 Reward points: 0 Joined: 2019/04/21 11:56:12 Status: offline 2019/04/21 13:16:01 (permalink) 5.4 0 60D ARP issue? Hello, I have FGT 60D (5.4.1) in FW only role. No other features enabled. Brief config is as follows: vswitch1 (software switch) = internal1, internal2 in LAN role. DHCP Server enabled on it. Device Detection enabled. Active Scanning disabled. Additionally, internal1 (phy-port) has 2 VLANs configured, each with DHCP Server enabled, similar as above. Only one FW policy defined, allowing all from Internal to WAN1. To internal1 I have L3 switch enabled. There are no ACLs, no L2 filtering enabled. No traffic alternations, everything takes place in flat native VLAN (1) for internal1. Those 2 additional VLANs are not yet deployed. Now, when I connect through LAN port of switch I get ip from DHCP server (FGT). ARP table on PC is updated with FGT ip/mac. When I disconnect from LAN and connect through AP (not Forti, no special config, one flat VLAN, same as when on LAN connection), I get ip from DHCP server (FGT) but there are no ARP replies from FGT in packet capture. PC keeps sending ARP requests for FGT MAC, but without reply from FGT and ARP table on PC is not updated with FGT ip/mac. No communication is possible. Connecting back to LAN fixes ARP. Is there any default policy that may affect this behavior? Does FGT somehow detects this is same host but with different MACs (LAN & WLAN) and blocks ARP replies? #1 FortiOS, DHCP 5 Replies Related Threads
Dave Hall Expert Member Total Posts : 1458 Scores: 160 Reward points: 0 Joined: 2012/05/11 07:55:58 Location: Canada Status: offline Re: 60D ARP issue? 2019/04/22 07:39:16 (permalink) 0 On fortinet AP equipment the wifi controller has options for suppressing various broadcast messages, including ARP. Perhaps you need to check to see if this 3rd party AP hardware has similar options. Attached Image(s) NSE4/FMG-VM64/FortiAnalyzer-VM/5.4/6.0 (FWF40C/FW92D/FGT200D/FGT101E)/ FAP220B/221C #2
mzachar New Member Total Posts : 4 Scores: 0 Reward points: 0 Joined: 2019/04/21 11:56:12 Status: offline Re: 60D ARP issue? 2019/04/23 12:47:50 (permalink) 0 Thanks Dave for your reply, but now I am sure its FGT causing ARP "problem". To simplify things my network topology is as follows: FGT:internal1 <-----> Switch <-----> AP1 "ssid:RED" FGT:internal2 <-----> AP2 "ssid:BLUE" FGT reboot. Connecting via AP1 ("RED") or Switch is OK. As long as I connect through Internal1 to FGT (doesn't matter if through AP1 or Switch) I get ip from DHCP server and ARP requests from PC are answered by FGT. Communication is OK. Now, when at this point I connect to AP2 ("BLUE") or directly (via LAN) to Internal2, I get DHCP from FGT but ARP request from PC are not answered by FGT. Now, rebootin FGT again and doing symmetrical thing, connecting to AP2 or directly to Internal2 just after FGT reboot, everything is OK. I can switch between AP2 or Internal2 access without issues. But trying to connect to AP1 or via Switch which are connected to Internal1, results in ARP issue (DHCP is ok, just ARPs are not answered by FGT). So, there must be some feature at FGT that prevents ARP between Internal1 and Internal2, despite the fact, these ports serve the same network (same native VLAN), they are part of software switch. Is this an issue? Or is this expected by desing? How change this behavior to have a "single" network served by both physical ports? This is my port config: config system interface edit "internal1" set vdom "root" set type physical set alias "phy-port1" set role lan set snmp-index 7 next edit "internal2" set vdom "root" set type physical set alias "phy-port2" set role lan set snmp-index 8 next edit "vswitch_1" set vdom "root" set ip 192.168.0.1 255.255.255.0 set allowaccess ping https ssh set type switch set device-identification enable set role lan set snmp-index 9 next edit "vlan_10" set vdom "root" set ip 192.168.10.1 255.255.255.0 set allowaccess ping https ssh set role lan set snmp-index 10 set interface "internal1" set vlanid 10 next edit "vlan_20" set vdom "root" set ip 192.168.20.1 255.255.255.0 set allowaccess ping https ssh set role lan set snmp-index 11 set interface "internal1" set vlanid 20 next #3
emnoc Expert Member Total Posts : 5209 Scores: 339 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: 60D ARP issue? 2019/04/23 14:34:10 (permalink) 0 Mac Address tables show sow mac.addr flap but does the deviec interface when directly connecting or WLAN have a different ether.address so I would check that and do a diag sniffer to see ARP requests arriving from WLAN. If you have no ARP request than the issues in the wifi overlay. The FGT could care less if it's wired or wireless clients imho Ken Felix PCNSE, NSE , Forcepoint , StrongSwan Specialist #4
mzachar New Member Total Posts : 4 Scores: 0 Reward points: 0 Joined: 2019/04/21 11:56:12 Status: offline Re: 60D ARP issue? 2019/04/24 01:14:51 (permalink) 0 Hi emnoc, I will rephrase my situation for clarity. I can connect to LAN or WLAN (back and forth) as long as I stay connected to service provided by the same port on FGT, either Internal1 OR Internal2. All is OK, DHCP & ARP work OK. But in scenario when PC was previously connected to LAN or WLAN thorugh Internal1 port, and there was no FGT reboot before trying to connect to LAN or WLAN serviced by Internal2 port on FGT, DHCP is OK, but ARP replies do not come from FGT. I need to reboot FGT to be able to use LAN or WLAN serviced by Internal2 port, but again when I move to LAN or WLAN serviced by Internal1 port (without FGT reboot in between), again DHCP is ok but ARP problem arises. WLAN overlay is not a problem. I have done traffic capture, ARP requests from PC are visible on Switch uplink port to FGT for LAN or WLAN connected PC. But I am willing to do diag sniff on FGT itself if somebody will point me to a guide, how to configure it, as I am FGT newbie. EDIT: found nice explanation of diag sniffer tool. Will update this thread later. https://kb.fortinet.com/k...nk.do?externalID=11186 post edited by mzachar - 2019/04/24 02:17:45 #5
mzachar New Member Total Posts : 4 Scores: 0 Reward points: 0 Joined: 2019/04/21 11:56:12 Status: offline Re: 60D ARP issue? 2019/04/26 08:00:07 (permalink) 0 SOLVED: It was a bug in FortiOS 5.4.1 (and 5.4.3, also 5.4.5) After upgrade to FortiOS v5.6.2 build1486 (GA) problem disappeared. No changes to Switch or APs config were made. Upgrades to 5.4.3 build 1111 and 5.4.5 build 1138 did not solve this problem. post edited by mzachar - 2019/04/26 08:01:15 #6

Jump to:

© 2019 APG vNext Commercial Version 5.5