Question

Firewall migration - Extreme X460G2-24t-10G4 ARP issue?

  • 2 January 2021
  • 5 replies
  • 59 views

Hello Everyone

   I am currently using a cisco asa migrating to a Fortigate 601E - The operation is pretty basic. We're taking the lan port coming from my extreme core switch X460G2-24t-10G4 and internet port from the asa and moving them to the fortigate 601e Lan and Internet Port. The policies are set up. The X460G2-24t-10G4 Extreme Core Switch is doing all the existing routing. I have validated the default route as going to 172.23.145.254 from the core switch. 

If I put a laptop into the fortigate port 2 (lan port) and configure the nic with the following configuration. It works fine.

Laptop IP 172.23.145.250

Subnet: 255.255.254.0

GW: 172.23.145.254

DNS: 8.8.8.8

If I put the lan and wan port back into the ASA.. It works fine. 

What am I missing?

Could it be that I need to clear the ARP from the X460G2-24t-10G4 Extreme switch? If so, What are the commands I would issue to properly clear the arp table from this L3 switch?

Thanks in advance


5 replies

Userlevel 4
Badge

normaly, this should not have to do with the arp entry.

If you disconnect the LAN-Cable on the ASA, you have a link down on the exos-switch. This clears the fdb entry for that port and also the corresponding arp-entry.

You can also check fdb and arp entries on exos-Switch, when you have changed from ASA to Fortigate.

Based on you description, I think you have no routes for the Client IP-Nets on your Fortigate.

What did you check during troubleshooting. Did you a ping from a client (connected to the core) to the Fortigate or did you a ping directly from the core to the Fortigate?

I had fortigate support troubleshoot with me. I did a ping from the laptop to port 2 (Lan Port) pinging the firewall which works fine. I did not do a ping from the core switch to the fortigate.

 

Do you know where the client ip-net routes are configured on a fortigate? Not sure why fortigate support has missed this.

Fortigate support did a sniff on the lan port from the extreme core switch, and there is some, but not all traffic being received on this port with our testing. 

Comments from the Fortigate Support technician

 

To summarise, you have still issues with traffic being reached by the FortiGate.
We have made another packet capture on the FortiGate and have seen that some traffic indeed is reaching the FortiGate through port2, namely 802.1q tags for VLAN2144 and internet traffic from other offices, but the test workstation 172.23.144.48 that was also going through the core switch and should have reached port2, did not even reach the FortiGate on any interface.

As discussed, this does not seem to be a FortiGate issue as the traffic in question does not even reach it. I would suggest you check on the core switch side, perhaps with a laptop connected to the port of the switch where the Fortigate should be plugged in, and to make a packet capture to see if traffic from 172.23.144.48 even exits the switch through that interface.
 

As per last update you will check on core switch side and let us know if you need furthur assisrtance.

Userlevel 5

 

some traffic indeed is reaching the FortiGate through port2, namely 802.1q tags for VLAN2144 and internet traffic from other offices, but the test workstation 172.23.144.48 that was also going through the core switch and should have reached port2, did not even reach the FortiGate on any interface.

In which VLAN is the workstation? Is IPforwarding configured for this VLAN? Is it directly connected to the core-switch? Do you have a little sketch of your topology? 

Reply