Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
danfor443
New Contributor

WAN IP Unknown

Hello everyone,

 

on "Dashboard -> System Information" it says "WAN IP - Unknown".

 

Do you know this issue?

Do i have to allow specific ports / Settings on WAN1?

 

The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).

 

 

I found something where people could "solve" this problem with 'diagnose sys waninfo' or 'diagnose sys waninfo ipify'.

But i is not working for me.

 

I can't see any denies on "Diag sniffer packet" or "syslog".

 

 

 

**********************************************************************

# diagnose sys waninfo Failed to get my public IP, ret=0 src_ip=0.0.0.0 vfid=-1(null) Command fail. Return code 5

**********************************************************************

 

 

********************************************************************** # diagnose sys waninfo ipify Try to get my public IP through [link]https://api.ipify.org[/link] with src_ip=0.0.0.0 vfid=0(root) ... Failed to get my public IP, ret=-1 src_ip=0.0.0.0 vfid=0(root) Command fail. Return code 5 **********************************************************************

 

 

Best Regards,

Danfor

7 REPLIES 7
Toshi_Esumi
Esteemed Contributor III

That's just a command to check what IP it's using to go out to the internet, equivalent to type "what's my ip" in Google search. It wouldn't fix the problem you have. You basically don't have internet. That's what it means.

Check the WAN1 interface config under Network->Interface if it's matching ISP's or upstream router's setting, like DHCP or PPPoE. If everything is correct, then you need to call your ISP or whoever manage the upstream router.

emnoc
Esteemed Contributor III

FWIW, and if not obvious your  wan-ip needs to be public and in the geo-db to begin with. So just want to point that out. I would  find my public address and check a geoip source and then trouble shoot. If your using api.ipify.org, you can diagsniffer and see if it's connecting to the API interface if the request fails, than you need to trouble connectivity.

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
danfor443

Hello,

 

"It wouldn't fix the problem you have" -> you're right. Just mentioned it because some people did this as "helpful workaround".

 

"You basically don't have internet" -> Thats the point. Internet connection works. I have a working Site2Site-VPN and a working traffic flow to the internet and vice versa.

 

What i forgot to mention: This WAN1 Interface has a public IP. It has a straight Link to the Internet.

 

That means, as far as i can see everything works fine, but it says "WAN IP unknown".

Toshi_Esumi
Esteemed Contributor III

What's in your routing-table then?

"get router info routing-t all"

rwpatterson
Valued Contributor III

If you go to any IP checking website with any device on the network, it will show you the IP address that the interface is using, UNLESS you are part of a NAT pool. Additionally, as stated earlier, if you go to 'System, Network, wanx', it should show you the address that is being given to the interface.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
danfor443

Got the Problem.... DNS Request doesn't work.

 

Following scenario:

a Branch-Firewall with Outside-Interface IP 123.123.123.123 and an Inside-IF with 192.168.1.1

a HQ-Firewall with Outside-Interface IP 999.999.999.999 and an Inside-IF with 172.12.1.1

Both are connected via IPsec-Tunnel. The IPsec Tunnel is bound to each Outside-IF!

DNS-Servers are only in HQ.

 

If a Branch-client with 192.168.1.2 asks e.g. DNS-Request its IP-Source-Header is like 192.168.1.2.

The HQ-DNS-Server receives this packet and sends back to 192.168.1.2 over the HQ-Firewall.

The HQ-Firewall knows this Target IP 192.168.1.2 from routing Table and sends it back over IPsec-Tunnel and everything works.

 

Now the problem:

The Branch-Fortigate itself is sending a DNS-Request to HQ-DNS Server BUT with its Outside-IF IP 123.123.123.123 as source-header.

The HQ-DNS-Server receives this packet and sends back to 123.123.123.123 over the HQ-Firewall.

The HQ-Firewall knows this Target IP 123.123.123.123 from routing Table and sends it back over OUTSIDE-INTERFACE to the INTERNET because it is a public IP and should use the Default-Route.

And thats why is doesn't work.

 

 

What can i do here?

 

Best Regards

brycemd

In the DNS setting set a source-ip to define the IP it should be coming from. There's a lot of services that benefit from this over a VPN tunnel, like LDAP and RADIUS or even just doing a ping across from the fortigate.

 

config sys dns

set source-ip

 

The alternative is to give your VPN tunnel routable interfaces rather than the default 0.0.0.0/0.0.0.0. Since that's essentially why it's source IP is the wan, the interface it is trying to go across is 0.0.0.0

 

 

Labels
Top Kudoed Authors