This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Firewall migration - Extreme X460G2-24t-10G4 ARP issue?

Firewall migration - Extreme X460G2-24t-10G4 ARP issue?

paulcondonjr
New Contributor

‎01-02-2021 03:59 PM

Hello Everyone

   I am currently using a cisco asa migrating to a Fortigate 601E - The operation is pretty basic. We're taking the lan port coming from my extreme core switch X460G2-24t-10G4 and internet port from the asa and moving them to the fortigate 601e Lan and Internet Port. The policies are set up. The X460G2-24t-10G4 Extreme Core Switch is doing all the existing routing. I have validated the default route as going to 172.23.145.254 from the core switch. 

If I put a laptop into the fortigate port 2 (lan port) and configure the nic with the following configuration. It works fine.

Laptop IP 172.23.145.250

Subnet: 255.255.254.0

GW: 172.23.145.254

DNS: 8.8.8.8

If I put the lan and wan port back into the ASA.. It works fine. 

What am I missing?

Could it be that I need to clear the ARP from the X460G2-24t-10G4 Extreme switch? If so, What are the commands I would issue to properly clear the arp table from this L3 switch?

Thanks in advance

0 Kudos
5 REPLIES 5

Stefan_K_
Valued Contributor

‎01-04-2021 09:27 AM

 

In which VLAN is the workstation? Is IPforwarding configured for this VLAN? Is it directly connected to the core-switch? Do you have a little sketch of your topology? 

0 Kudos

paulcondonjr
New Contributor

‎01-02-2021 06:52 PM

Comments from the Fortigate Support technician

 

To summarise, you have still issues with traffic being reached by the FortiGate.
We have made another packet capture on the FortiGate and have seen that some traffic indeed is reaching the FortiGate through port2, namely 802.1q tags for VLAN2144 and internet traffic from other offices, but the test workstation 172.23.144.48 that was also going through the core switch and should have reached port2, did not even reach the FortiGate on any interface.

As discussed, this does not seem to be a FortiGate issue as the traffic in question does not even reach it. I would suggest you check on the core switch side, perhaps with a laptop connected to the port of the switch where the Fortigate should be plugged in, and to make a packet capture to see if traffic from 172.23.144.48 even exits the switch through that interface.
 

As per last update you will check on core switch side and let us know if you need furthur assisrtance.

0 Kudos

paulcondonjr
New Contributor

‎01-02-2021 06:38 PM

Fortigate support did a sniff on the lan port from the extreme core switch, and there is some, but not all traffic being received on this port with our testing. 

0 Kudos

paulcondonjr
New Contributor

‎01-02-2021 06:28 PM

I had fortigate support troubleshoot with me. I did a ping from the laptop to port 2 (Lan Port) pinging the firewall which works fine. I did not do a ping from the core switch to the fortigate.

 

Do you know where the client ip-net routes are configured on a fortigate? Not sure why fortigate support has missed this.

0 Kudos
GTM-P2G8KFN