FORTIGATE traceroute NEIGHBOR_UNREACHABLE error
guillaume75110 opened this issue · comments
Hello everyone,
I’m currently working on network configurations featuring FortiGate firewalls and I’m facing some difficulties (bugs ?) using Batfish.
If I well understood (this ticket by @dhalperi), support for Fortinet appliances is limited, but is traceroute supposed to be fully supported?
Example 1 – bug
Here is a minimalist example of network topology I’m working on:
Full Batfish snapshot with all configuration files: dbg_forti2.zip
Problem
From 193.168.0.3
I’m able to traceroute until 199.168.0.2
, but from 199.168.0.2
I can’t even reach fortigate1
, while ensuring my route tables are correct.
Traceroute
SERVER1 = "850250b1-6342-4727-9652-7e4f8f94c531"
SERVER1_IP = "193.168.0.3/24"
SERVER2 = "05c19e8f-bddf-4a61-b63b-bf8ce577c0f7"
SERVER2_IP = "199.168.0.2/24"
df = bf.q.traceroute(
startLocation=escape(SERVER2),
headers=HeaderConstraints(
dstIps=escape(SERVER1), srcIps=escape(SERVER2), applications="http"
),
ignoreFilters=True).answer().frame()
Result
I got NEIGHBOR_UNREACHABLE
as if no route were found for 193.168.0.3
destination, however a route exists according bf.q.routes()
:
-> 193.168.0.0/24
is routed through 197.168.0.2
(port1
)
And all L3 edges are correctly detected by Batfish:
-> 199.168.0.2
is linked to fortigate1[port1]
Moreover, no warning nor issues were found using bf.q.parseWarnings()
and bf.q.initIssues()
.
Example 2
However, by adding an additional router between 199.168.0.2
and fortigate1
this topology works fine:
I can traceroute both ways.
Conclusion
Is there a bug in routing with Fortigate when a host is directly connected to a Fortinet appliance?
Additional question: do you confirm IPsec tunnels are not yet handled by Batfish for Fortinet appliances?
Thanks for your help.