topic Re: gateways failing until policies are pushed in Firewall and Security Management

gateways failing until policies are pushed

kehagen — Fri, 08 Dec 2023 19:42:09 GMT

Hello,

I have r77 gateways 4400. Two of them are in a cluster. We lost connectivity to the inside last night. I pushed the policies and then I could get connectivity. Then same thing happened this morning. I looked at the switch and a mac address is flapping on the inside with the mac of the firewall cluster. I can get to the inside, but it seems to be a recurring problem and not sure what is causing it. Any ideas where to look? Thanks.

Ken

Re: gateways failing until policies are pushed

the_rock — Fri, 08 Dec 2023 20:04:28 GMT

Hey Kenny,

Sounds like could be routing issue. Maybe do zdebug when this happens if you have console, since it sounds like ssh fails when issue is there. PLEASE upgrade, no one in TAC will even bother with this, its long time unsupported version.

Andy

Re: gateways failing until policies are pushed

kehagen — Fri, 08 Dec 2023 22:35:42 GMT

Thanks Andy. I will try that. Yes we’re trying to upgrade asap.

Re: gateways failing until policies are pushed

the_rock — Fri, 08 Dec 2023 22:59:47 GMT

Yes sir, you should! Now I will go about my weekend birthday celebration...one year older, man, nothing to celebrate 🤣🤣

Cheers,

Andy

Re: gateways failing until policies are pushed

kehagen — Fri, 08 Dec 2023 23:22:20 GMT

Happy birthday! and thanks for your suggestion.

ken

Re: gateways failing until policies are pushed

the_rock — Fri, 08 Dec 2023 23:27:11 GMT

Thank you! Have a nice weekend.

Andy

Re: gateways failing until policies are pushed

Timothy_Hall — Sat, 09 Dec 2023 17:46:22 GMT

Sounds like an ARP issue to me, as a policy installation will force a gratuitous ARP for all firewall and NAT addresses if the cluster object is not set to use VMAC (which is the default behavior). Next time you have an outage, check the ARP caches of the surrounding routers, are they losing the IP to MAC mapping for the firewall and/or NAT addresses? Command fw ctl arp might be helpful to diagnose. If it is found to be an ARP issue, you can try setting VMAC on the cluster, reinstall policy twice and see if it helps.

Re: gateways failing until policies are pushed

kehagen — Mon, 11 Dec 2023 14:58:01 GMT

Thank you Timothy I will try that today. I go onsite to troubleshoot today.

Re: gateways failing until policies are pushed

the_rock — Mon, 11 Dec 2023 15:10:53 GMT

Hey Kenny,

Let us know how it goes. I see what Tim is saying, if arp is not there, it will never work, sort of goes without saying. Mind you, that coommand would show you if there are ny proxy arp entries.

Andy

Re: gateways failing until policies are pushed

the_rock — Mon, 11 Dec 2023 15:12:17 GMT

You can also run just arp, as I did below in my lab. So in my case, 172.16.10.1 is our lab Fortigate.

Andy

[Expert@CP-STANDALONE-backup:0]# arp
Address HWtype HWaddress Flags Mask Iface
172.16.10.233 ether 50:06:00:07:00:00 C eth0
172.16.10.126 ether 00:0c:29:27:56:d6 C eth0
172.16.10.1 ether e8:1c:ba:4e:89:87 C eth0
[Expert@CP-STANDALONE-backup:0]#

Re: gateways failing until policies are pushed

kehagen — Mon, 11 Dec 2023 19:49:58 GMT

the arps look ok on the inside.

on the firewalls i get:

[Expert@gto-fw-1:0]# fw ctl arp
No proxy ARP entries
[Expert@gto-fw-1:0]#

I checked the vmac and it is already applied.

Re: gateways failing until policies are pushed

kehagen — Mon, 11 Dec 2023 20:04:18 GMT

When doing arp on the problem gateways, I only get 2 arps, one for management and one for the cluster interface. When comparing to a known good gateway, there are many more arps for all the devices behind the firewall.

Re: gateways failing until policies are pushed

the_rock — Mon, 11 Dec 2023 20:05:48 GMT

Can you just run arp?

Andy

Re: gateways failing until policies are pushed

kehagen — Mon, 11 Dec 2023 23:43:09 GMT

yes, i did run arp, i only see 2 arps. mgmt and cluster. for some reason it is not getting all the other arps from the devices inside. could it be a certificate or license problem? the cert is good until 12/26/23, so that is next thing to do after i fix this.

Re: gateways failing until policies are pushed

the_rock — Mon, 11 Dec 2023 23:20:24 GMT

Apologies mate, missed your first response, my bad. Long day troubleshooting Cisco/Fortigate vpn issue lol. Anyway, so here is my suggestion...can you verify that routes are similar? Just type route from expert mode and compare.

Kind regards,

Andy

Re: gateways failing until policies are pushed

kehagen — Tue, 12 Dec 2023 17:44:14 GMT

yes the routes are the same.

Re: gateways failing until policies are pushed

the_rock — Tue, 12 Dec 2023 18:16:17 GMT

Got it. Any luck so far or still same issue?

Andy

Re: gateways failing until policies are pushed

kehagen — Tue, 12 Dec 2023 19:15:16 GMT

Same issue. Also I tried to renew the cert and got an error message.