Solved

Fortingate not receiving all traffic from ISP

Posted on 2011-09-05
7
812 Views
Last Modified: 2012-06-21
I own a Fortigate 300A an have had it on line for three years. Recently I had the ISP change to fiber connection and increase bandwidth. From the moment f te change many of my VIPs stopped receiving traffic from internet.
ISP state they are just a gateway and are passing all traffic with in the IP range (209.217.199.96/27)
Fortinet engineers state fire wall is properly configured but not receiving the traffic.  
Yet three IPs are working fine.
Its been two weeks and each level of support I go tell me the same thing..."its the other guys problem".  My most resent communication from Fortinet states if the ISP sets up a static route for my addresses all will be well, (I haven' heard back from ISP yet).
My question is simple is there anything I can do or put in between the two systems to correct this problem?  I am tired of waiting o support.
Thanks
0
Comment
Question by:Bill Doherty
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 6

Accepted Solution

by:
jgibbar earned 250 total points
ID: 36484467
A quick fix would be to PAT your VIPs to one of the known good addresses. It could be a number of issues but it sounds like they may have a wrong subnet mask for your IP range on their end assuming you have made no configuration changes.

Can you do a trace route from another ISP and see where the traffic goes? Try it for both an IP that works and one that does not. If you see it getting to the ISP side of your Internet Router, than you can push the issue with your hardware. If it stops on their network, then you can push harder on the ISP.

I had a similar situation where we brought up a new circuit to increase bandwidth and the ISP just simply forgot to activate the routes in their equipment. In this situation, it took someone at a 3rd tier support to be able to assist.

0
 
LVL 22

Expert Comment

by:eeRoot
ID: 36485237
If nothing changed on the fortigate, but something did change with the ISP, then it's pretty clear where the problem is.  Can you get the ISP to come onsite for a vendor meet and certify the new fiber connection?
0
 

Author Comment

by:Bill Doherty
ID: 36488717
Thank you both for your comments.
 
eeRoot: the vendor has come in and pretty much proved that there gateway could see the correct IP addresses if they were broadcast.  set direct connect with laptop and tested each IP. So clearly some routing issue my side of their connection. (so it seems) but I agree with you clealry the fortigate would not just stop.

jgibbar: We did test and trace and we lost the traffic at hopefully today the ISP and Fortigate will test together as promised to test through the gateway.

Here is another observation. When I came here we had only a partial T1 line from the same ISP out of the ISP cable box a cisco router was in place that forwarded my traffic.  About three years ago we upgraded the T1 to a wireless bridge (line of sight rf) for a10Mb broadband connection, again they had the bridge modem or router between there radio and my firewall. This new connection there is no equipment between my firewall and the fiber box. Do you think this is what broke? In my limited understanding of how this all connects I am beginning to think I need a local router of some type or maybe a L3 switch between the fiber and my firewall.

I'm asking these questions here because Expert exchange is one place I can get unbiased answers and I truly appreciate the feedback.

thanks
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 22

Assisted Solution

by:eeRoot
eeRoot earned 250 total points
ID: 36493295
The Fortigate may have been using the IP of the old/removed router as a default gateway, or the router may have been forwarding traffic to the Fortigate.  It's impossible to say now things were configured now that the devices are gone unless you have a backup of the configs handy.  You'll have to look at how the WAN links are set on the Fortigate, and see if it's pointing to something that isn't there anymore.
0
 

Author Comment

by:Bill Doherty
ID: 36495542
eeroot: The router addresses stayed the same which only adds to my confusion.
0
 
LVL 22

Expert Comment

by:eeRoot
ID: 36499988
Can you post a sanitized config and any errors in the logs?
0
 

Author Closing Comment

by:Bill Doherty
ID: 36505308
Thank you for your attemps to solve this issue, Finnally an engineer at the ISP explained the differences  with the old and new connections. We were swithed to some type of trunk access and because of that we are diresctly connected to them so they do not supply a static route of our iP addreeses for the Fortigate to see. The fix is easy enough, we just had to create gratuitous-arps (proxy arps) for each of the ips within the firewall;
csi command:
config firewall vip
edit "vip name"
set gratuitous-arp-interval 5
end

5 is 5 second interval

again thanks for help
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 unable to add SFP modules to device 9 138
Check Spoof email 6 71
Configure 2 Servers with Crossover cable 3 46
Mac address in Nexus7K fex port 5 46
This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question