Hot!WAN IP Unknown

Author
danfor443
New Member
  • Total Posts : 13
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/17 00:55:06
  • Status: offline
2020/07/08 00:49:25 (permalink)
0

WAN IP Unknown

Hello everyone,
 
on "Dashboard -> System Information" it says "WAN IP - Unknown".
 
Do you know this issue?
Do i have to allow specific ports / Settings on WAN1?
 
The Firewall is a Fortigate 100E with Version 6.0.9 Build 0335 (GA).
 
 
I found something where people could "solve" this problem with 'diagnose sys waninfo' or 'diagnose sys waninfo ipify'.
But i is not working for me.
 
I can't see any denies on "Diag sniffer packet" or "syslog".
 
 
 
**********************************************************************
# diagnose sys waninfo
Failed to get my public IP, ret=0 src_ip=0.0.0.0 vfid=-1(null)
Command fail. Return code 5
**********************************************************************
 
 
**********************************************************************
# diagnose sys waninfo ipify
Try to get my public IP through https://api.ipify.org with src_ip=0.0.0.0 vfid=0(root) ...

Failed to get my public IP, ret=-1 src_ip=0.0.0.0 vfid=0(root)
Command fail. Return code 5
**********************************************************************
 
 
Best Regards,
Danfor
#1

7 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2335
    • Scores: 227
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: WAN IP Unknown 2020/07/08 08:42:11 (permalink)
    0
    That's just a command to check what IP it's using to go out to the internet, equivalent to type "what's my ip" in Google search. It wouldn't fix the problem you have. You basically don't have internet. That's what it means.
    Check the WAN1 interface config under Network->Interface if it's matching ISP's or upstream router's setting, like DHCP or PPPoE. If everything is correct, then you need to call your ISP or whoever manage the upstream router.
    #2
    emnoc
    Expert Member
    • Total Posts : 5860
    • Scores: 387
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: WAN IP Unknown 2020/07/08 09:20:32 (permalink)
    0
    FWIW, and if not obvious your  wan-ip needs to be public and in the geo-db to begin with. So just want to point that out. I would  find my public address and check a geoip source and then trouble shoot. If your using api.ipify.org, you can diagsniffer and see if it's connecting to the API interface if the request fails, than you need to trouble connectivity.
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #3
    danfor443
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/17 00:55:06
    • Status: offline
    Re: WAN IP Unknown 2020/07/09 22:35:25 (permalink)
    0
    Hello,
     
    "It wouldn't fix the problem you have" -> you're right. Just mentioned it because some people did this as "helpful workaround".
     
    "You basically don't have internet" -> Thats the point. Internet connection works. I have a working Site2Site-VPN and a working traffic flow to the internet and vice versa.
     
    What i forgot to mention: This WAN1 Interface has a public IP. It has a straight Link to the Internet.
     
    That means, as far as i can see everything works fine, but it says "WAN IP unknown".
    #4
    Toshi Esumi
    Expert Member
    • Total Posts : 2335
    • Scores: 227
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: WAN IP Unknown 2020/07/09 22:53:49 (permalink)
    0
    What's in your routing-table then?
    "get router info routing-t all"
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8520
    • Scores: 207
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: WAN IP Unknown 2020/07/10 05:33:49 (permalink)
    0
    If you go to any IP checking website with any device on the network, it will show you the IP address that the interface is using, UNLESS you are part of a NAT pool. Additionally, as stated earlier, if you go to 'System, Network, wanx', it should show you the address that is being given to the interface.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com


    -5.0.14-b0323
    FWF81CM (1)
     
    -4.3.19-b0694
    FWF80CM (2)
    FWF81CM (2)
     
    #6
    danfor443
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/06/17 00:55:06
    • Status: offline
    Re: WAN IP Unknown 2020/07/15 02:15:23 (permalink)
    0
    Got the Problem.... DNS Request doesn't work.
     
    Following scenario:
    a Branch-Firewall with Outside-Interface IP 123.123.123.123 and an Inside-IF with 192.168.1.1
    a HQ-Firewall with Outside-Interface IP 999.999.999.999 and an Inside-IF with 172.12.1.1
    Both are connected via IPsec-Tunnel. The IPsec Tunnel is bound to each Outside-IF!
    DNS-Servers are only in HQ.
     
    If a Branch-client with 192.168.1.2 asks e.g. DNS-Request its IP-Source-Header is like 192.168.1.2.
    The HQ-DNS-Server receives this packet and sends back to 192.168.1.2 over the HQ-Firewall.
    The HQ-Firewall knows this Target IP 192.168.1.2 from routing Table and sends it back over IPsec-Tunnel and everything works.
     
    Now the problem:
    The Branch-Fortigate itself is sending a DNS-Request to HQ-DNS Server BUT with its Outside-IF IP 123.123.123.123 as source-header.
    The HQ-DNS-Server receives this packet and sends back to 123.123.123.123 over the HQ-Firewall.
    The HQ-Firewall knows this Target IP 123.123.123.123 from routing Table and sends it back over OUTSIDE-INTERFACE to the INTERNET because it is a public IP and should use the Default-Route.
    And thats why is doesn't work.
     
     
    What can i do here?
     
    Best Regards
    #7
    brycemd
    Silver Member
    • Total Posts : 115
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/12/03 11:24:30
    • Status: offline
    Re: WAN IP Unknown 2020/07/15 08:03:37 (permalink)
    0
    In the DNS setting set a source-ip to define the IP it should be coming from. There's a lot of services that benefit from this over a VPN tunnel, like LDAP and RADIUS or even just doing a ping across from the fortigate.
     
    config sys dns
    set source-ip
     
    The alternative is to give your VPN tunnel routable interfaces rather than the default 0.0.0.0/0.0.0.0. Since that's essentially why it's source IP is the wan, the interface it is trying to go across is 0.0.0.0
     
     
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5