This article describes how to resolve an issue observed in FortiOS versions 7.4.x where access to ZTNA Destinations becomes unavailable after performing an upgrade.
Scope
FortiOS: v7.4.1, v7.4.2, v7.4.3.
Solution
After upgrading FortiGate to v7.4.x, ZTNA Destinations do not work. The problem can be verified by examining the logs as outlined below.
Packet sniffers will show that the FortiGate responds to the client initiated traffic, but it is routed via a different interface than the incoming interface. This traffic does not arrive on the client machine.
Client: 216.232.68.84
FortiGate WAN Interface/port14: 108.172.233.251
diagnose sniffer packet any "host 216.232.68.84 and port 8880" 4 0 l interfaces=[any] filters=[host 216.232.68.84 and port 8880] 2024-04-22 13:21:05.628698 port14 in 216.232.68.84.52061 -> 108.172.233.251.8880: syn 758082226 2024-04-22 13:21:05.628710 port15 out 108.172.233.251.8880 -> 216.232.68.84.52061: syn 3007500123 ack 758082227
In the above example, traffic is received on port14 but the reply is sent out via port15 with the IP address of port14 as the source.
The routing table on FortiGate contains active default static routes via port14/port15.
get router info routing-table all S* 0.0.0.0/0 [1/0] via 108.172.233.1, port14, [1/0] [1/0] via 23.16.44.1, port15, [1/0]
This issue has been resolved in FortiOS version 7.4.4 (pending release at the time this article was written).
Logs required by FortiGate TAC to investigate this issue:
- Sniffers
diag sniffer packet any "port <port_number> and host <src/client_ip>" 4 0 l
- Session list
diag sys session filter src <src_ip> diagnose sys session filter dport <port_number> diagnose sys session list
- TAC Report
exec tac report
- The configuration file of the FortiGate.