Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Problem with Fortiate and Virgin Media

  • 27-02-2018 7:24am
    #1
    Registered Users, Registered Users 2 Posts: 6


    Hi Everyone

    I am an IT professional (as some says), and I'm looking for some feedback
    I am having problem with Fortigate device connected to Virgin Media cable modem.
    Please let me know if any of you experienced similar issue and how did you deal with that.

    The problem is that if I connect Fortigate firewall to the Eir modem, everything just works fine. If I connect the same Fortigate to the Virgin Media modem, the speed of connection after a while drops down significantly and as a result internet becomes unusable. The speed can drop down even below 1MB/s. I had Virgin Media guys to look at that but other than swapping modem (several times) and reinstalling firmware (several times) they cannot identify the reason and they blame Fortigate unit. On the other hand in order to eliminate possible issue with firewall I contacted Fortinet support but they are very slow do deal with that. I also tried multiple Fortigate models but still having the same issue.

    Some of you might know that few years ego there was a problem with UPC modems where they would do very similar thing. At the time it turned out that UPC modems were intercepting all traffic on UDP port 53 (DNS). Since Fortinet is using that port for communication to their control center UPC modems were experiencing buffer overflow. The fix for that was to change the default communication port to the 8888. This time this does not help.
    I had some issues in the past with broadband provided over telephone lines from various ISPs and in worse case scenario I was always able to resolve it by swapping crappy modem with Cisco Router. As you know you can't do the same thing with Virgin Media modem.

    If you had similar experience with the same setup or even different hardware please let me know.

    All the best.


Comments

  • Registered Users, Registered Users 2 Posts: 2,383 ✭✭✭pizzahead77


    Which VM modem do you have? Are you using the modem in normal modem mode or is it bridged to the Fortigate firewall?

    I haven't used a Fortigate firewall but have used a couple of Cisco ASAs with a VM Cisco 3925 modem in bridge mode and don't have this issue.


  • Registered Users, Registered Users 2 Posts: 6 IdeaWorld


    The cable modem model is Hitron CGNV4.
    It is configured in a strange route mode where on the cable side it has internal UPC 10.X.X.X address but on the LAN side it has public IP which is our gateway address. This allows us to have 5 usable public IPs. I personally don't like this setup as these modems are vulnerable to attacks.

    I have tested this modem with Cisco 2911 Router and I had no issues.

    Since whole Country had stopped today I am going to do some tests with Wireshark to see if I can pinpoint it to a specific type of traffic.


  • Closed Accounts Posts: 5,756 ✭✭✭demanufactured


    Are you sure tm it's running on DSLITE??
    That IP configuration doesn't sound right.


  • Registered Users, Registered Users 2 Posts: 6 IdeaWorld


    Hi Everyone
    I got to the bottom of the issue.
    I analysed network traffic with Cisco facing Virgin Media modem vs Fortinet using Wireshark.
    I noticed that both devices were doing everything more less the same except one thing – IPSEC VPNs.
    It turned out that when I configured Cisco VPN the Phase 1 was established using UDP port 500 and the ESP payload was transmitted using UDP 4500.(UDP has protocol number 17)
    When I configured IPSEC VPN on Fortigates the Phase 1 was established same way which is UDP port 500 but the ESP payload was transmitted using IP protocol number 50.
    I had to find than a way to force Fortigates to transmit traffic the same way as Cisco Router. There isn’t much details on which configuration parameters will create which type of ESP session so I had to experiment a bit.
    And I have made it. I got that to work on Thursday late night. I have got now 2 Fortigates and 1 Cisco router connected directly to the Virgin Media modem/router and in total 7 IPSEC VPNS running and I was not able to reproduce the issue anymore with current configuration. Before that 2 IPSEC VPNs on Fortigates were enough for Virgin Media modem to die within few minutes.
    Many thanks to all who were trying to help. Thanks to the weather as otherwise I would never have that much of free time to investigate that. If anyone is interested in more details let me know.


  • Closed Accounts Posts: 5,756 ✭✭✭demanufactured


    Thanks for the update... What model fortigates are you using?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 6 IdeaWorld


    FGT60E and FGT200E


  • Closed Accounts Posts: 2,039 ✭✭✭rmacm


    IdeaWorld wrote: »
    Hi Everyone
    I got to the bottom of the issue.
    I analysed network traffic with Cisco facing Virgin Media modem vs Fortinet using Wireshark.
    I noticed that both devices were doing everything more less the same except one thing – IPSEC VPNs.
    It turned out that when I configured Cisco VPN the Phase 1 was established using UDP port 500 and the ESP payload was transmitted using UDP 4500.(UDP has protocol number 17)
    When I configured IPSEC VPN on Fortigates the Phase 1 was established same way which is UDP port 500 but the ESP payload was transmitted using IP protocol number 50.
    I had to find than a way to force Fortigates to transmit traffic the same way as Cisco Router. There isn’t much details on which configuration parameters will create which type of ESP session so I had to experiment a bit.
    And I have made it. I got that to work on Thursday late night. I have got now 2 Fortigates and 1 Cisco router connected directly to the Virgin Media modem/router and in total 7 IPSEC VPNS running and I was not able to reproduce the issue anymore with current configuration. Before that 2 IPSEC VPNs on Fortigates were enough for Virgin Media modem to die within few minutes.
    Many thanks to all who were trying to help. Thanks to the weather as otherwise I would never have that much of free time to investigate that. If anyone is interested in more details let me know.

    You probably enabled NAT Traversal on the Fortigates.

    UDP Port 4500 is used to send encapsulated ESP packets so the whole thing can function where there are devices doing NAT involved.


  • Registered Users, Registered Users 2 Posts: 6 IdeaWorld


    That is correct. I had to enable NAT traversal but I also had to change it to use IKE1.


Advertisement