0

The following is the simplified topology of my organization's computer network.

The simplified topology of my organization's computer network.

In my organization, there is a virtual classroom server with an internal IP address (for example, 192.168.1.5). There is a problem with this server: when clients from some VLANs in the organization try to connect to it, the connection is aborted after several attempts.

In fact, all clients display the classroom welcome screen. However, some of them are unable to enter the class.

After some inspection, we found that when the default gateway of a VLAN is the core switch, there is no problem. However, when the default gateway is the FortiGate firewall, the problem occurs.

Recently, I also discovered that the problem depends on the browser. With Google Chrome, the problem appears, but with Vivaldi, the problem does not occur.

The following is the firewall policy for one of the VLANs that is experiencing this issue.

FGT (382) # show
config firewall policy
    edit 382
        set name "VLAN_10 To Servers"
        set srcintf "VLAN_10"
        set dstintf "port5"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Below are sample FortiGate log entries from a client attempting to connect to the server. In the first entry, the action is "accept"; in the second entry, the action is "client-rst". This client was unable to connect to the server using the Google Chrome browser.

type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.14 srcport=54196 srcintf="VLAN_10" srcintfrole="lan" dstip=192.168.1.5 dstport=443 dstintf="port5" dstintfrole="undefined" sessionid=1236971171 proto=6 action="accept" policyid=382 policytype="policy"  policyname="VLAN_10 To Servers" service="443-tcp" trandisp="snat" transip=192.168.1.254 transport=54196 duration=122 sentbyte=19897 rcvdbyte=1190572 sentpkt=152 rcvdpkt=865 appcat="unscanned" sentdelta=19897 rcvddelta=1190572 srcserver=0

type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.10.14 srcport=54275 srcintf="VLAN_10" srcintfrole="lan" dstip=192.168.1.5 dstport=443 dstintf="port5" dstintfrole="undefined" sessionid=1236999876 proto=6 action="client-rst" policyid=382 policytype="policy" policyname="VLAN_10 To Servers" service="443-tcp" trandisp="snat" transip=192.168.1.254 transport=54275 duration=9 sentbyte=7458 rcvdbyte=8711 sentpkt=36 rcvdpkt=36 appcat="unscanned" srcserver=0

Any assistance would be greatly appreciated.

Improve this question
1
  • 1
    You should really do your LAN routing on the switch, using it as the gateway, and not burden the firewall with also being the LAN router. Commented 2 days ago

1 Answer 1

Reset to default
0

By default, a Fortigate firewall uses stateful inspection of each connection. Since several gateways are involved, I very much suspect asymmetric routing, with the reverse path bypassing the Fortigate. This makes stateful inspection fail, resetting the connection.

You need to either switch off stateful inspection (reverse path forwarding) or make sure that the routing path matches in both directions.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-FortiOS-RPF-Reverse-Path-Forwarding/ta-p/190100?cmd=displayKC&externalId=FD30543

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-the-FortiGate-behaves-when-asymmetric-routing/ta-p/198575

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.