Hot!emac-vlan issue

Author
matthewdva
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/09 06:55:48
  • Status: offline
2020/11/09 07:54:30 (permalink)
0

emac-vlan issue

As few others have posted, I need to share vlan between multiple vdoms.  I have followed the documentation with partial success.  I have been able to create the same vlan in multiple vdoms use emac-vlan.  However when I assign an ip address to the emac-vlan, the LAN for that address does not "Connect" to the vdom.  I cannot ping the ip address from the my FortiGate.
 
Are there any suggestions on how I can get the to connect for addresses assigned to an emac-lan?
 
--
Matthew
 
#1
emnoc
Expert Member
  • Total Posts : 5863
  • Scores: 387
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: emac-vlan issue 2020/11/09 11:23:45 (permalink)
0
What do you mean lan does not connect and what is your config and topology?
 
The diag debug flow needs to be explored for proper diagnostics.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#2
matthewdva
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/09 06:55:48
  • Status: offline
Re: emac-vlan issue 2020/11/09 13:44:26 (permalink)
0
test vlan is "vlan099"
config system interface
    edit "vlan0999"
        set vdom "root"
        set device-identification enable
        set role lan
        set snmp-index 71
        set interface "fortilink"
        set vlanid 999
    next
 edit "fortilink"
        set vdom "root"
        set allowaccess ping capwap
        set type aggregate
        set member "x1" "x2"
        set alias "20gig_lag"
        set snmp-index 12
    next
end
My first vdom is vdom1
config system interface
    edit "vlan0999-vdom1"
        set vdom "vdom1"
        set ip 172.31.254.10 255.255.255.0
        set type emac-vlan
        set snmp-index 72
        set interface "vlan0999"
    next
end
When I state that the network is not connected, I am referring to the routing table.  As you can see below net 172.31.254.0/24 is not part of the routing tables.  According to the documentation it should be.
FortiGate-100F (vdom1) # get router info routing-table connected

Routing table for VRF=0
C       10.2.16.2/31 is directly connected, vlan499
C       10.34.143.0/30 is directly connected, vdom1-to-vdom20
C       10.98.2.0/24 is directly connected, vlan502
C       10.98.4.64/27 is directly connected, vlan506
C       10.98.4.96/27 is directly connected, vlan507
C       10.98.4.160/27 is directly connected, vlan509
C       10.98.4.192/27 is directly connected, vlan510
C       10.98.4.224/27 is directly connected, vlan515
C       10.98.5.0/24 is directly connected, vlan511
C       10.98.6.0/23 is directly connected, vlan512
C       10.98.8.0/24 is directly connected, vlan513
C       10.98.10.0/28 is directly connected, vlan516
C       10.98.10.16/29 is directly connected, vlan518
C       10.98.10.32/28 is directly connected, vlan519


The diag debug shows:
 
FortiGate-100F (vdom1) # diag debug enable

FortiGate-100F (vdom1) # diag debug flow filter addr 172.31.254.10

FortiGate-100F (vdom1) # diagnose debug flow trace start 100

FortiGate-100F (vdom1) # diag debug enable

FortiGate-100F (vdom1) # exec ping 172.31.254.10
PING 172.31.254.10 (172.31.254.10): 56 data bytes
2020-11-09 16:37:59 id=20085 trace_id=718 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=0."
2020-11-09 16:37:59 id=20085 trace_id=718 func=init_ip_session_common line=5631 msg="allocate a new session-0a15f4da"
2020-11-09 16:38:00 id=20085 trace_id=719 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=1."
FortiGate-100F (vdom1) # diag debug enable

FortiGate-100F (vdom1) # diag debug flow filter addr 172.31.254.10

FortiGate-100F (vdom1) # diagnose debug flow trace start 100

FortiGate-100F (vdom1) # diag debug enable

FortiGate-100F (vdom1) # exec ping 172.31.254.10
PING 172.31.254.10 (172.31.254.10): 56 data bytes
2020-11-09 16:37:59 id=20085 trace_id=718 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=0."
2020-11-09 16:37:59 id=20085 trace_id=718 func=init_ip_session_common line=5631 msg="allocate a new session-0a15f4da"
2020-11-09 16:38:00 id=20085 trace_id=719 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=1."
2020-11-09 16:38:00 id=20085 trace_id=719 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-0a15f4da, original direction"
2020-11-09 16:38:01 id=20085 trace_id=720 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=2."
2020-11-09 16:38:01 id=20085 trace_id=720 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-0a15f4da, original direction"
2020-11-09 16:38:02 id=20085 trace_id=721 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=3."
2020-11-09 16:38:02 id=20085 trace_id=721 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-0a15f4da, original direction"
2020-11-09 16:38:03 id=20085 trace_id=722 func=print_pkt_detail line=5460 msg="vd-vdom1:0 received a packet(proto=1, 10.2.16.3:2816->172.31.254.10:2048) from local. type=8, code=0, id=2816, seq=4."
2020-11-09 16:38:03 id=20085 trace_id=722 func=resolve_ip_tuple_fast line=5540 msg="Find an existing session, id-0a15f4da, original direction"

--- 172.31.254.10 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

FortiGate-100F (vdom1) #

I hope this clarifies the issue I am having.
#3
boneyard
Gold Member
  • Total Posts : 364
  • Scores: 16
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: emac-vlan issue 2020/11/20 02:09:06 (permalink)
0
you haven't allowed ping access on that interface which you probably want, that might help. dont have this exact setup ready to test.
 
#4
Jump to:
© 2020 APG vNext Commercial Version 5.5