- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiAP
- FortiClient
- FortiADC
- FortiAnalyzer
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiExtender
- FortiEDR
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiProxy
- FortiPortal
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Traffic has not forward to another interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic has not forward to another interface
Perimiter-FW-1 # id=20085 trace_id=169 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=169 func=init_ip_session_common line=6046 msg="allocate a new session-000046dd, tun_id=0.0.0.0"
id=20085 trace_id=169 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=169 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=169 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=169 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=170 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=170 func=init_ip_session_common line=6046 msg="allocate a new session-000046de, tun_id=0.0.0.0"
id=20085 trace_id=170 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=170 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=170 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=170 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=171 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=171 func=init_ip_session_common line=6046 msg="allocate a new session-000046df, tun_id=0.0.0.0"
id=20085 trace_id=171 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=171 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=171 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=171 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=172 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=172 func=init_ip_session_common line=6046 msg="allocate a new session-000046e0, tun_id=0.0.0.0"
id=20085 trace_id=172 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=172 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=172 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=172 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=173 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=173 func=init_ip_session_common line=6046 msg="allocate a new session-000046e1, tun_id=0.0.0.0"
id=20085 trace_id=173 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=173 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=173 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=173 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=174 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=174 func=init_ip_session_common line=6046 msg="allocate a new session-000046e2, tun_id=0.0.0.0"
id=20085 trace_id=174 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=174 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=174 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=174 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=175 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=175 func=init_ip_session_common line=6046 msg="allocate a new session-000046e3, tun_id=0.0.0.0"
id=20085 trace_id=175 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=175 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=175 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=175 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=176 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=176 func=init_ip_session_common line=6046 msg="allocate a new session-000046e7, tun_id=0.0.0.0"
id=20085 trace_id=176 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=176 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=176 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=176 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=177 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=177 func=init_ip_session_common line=6046 msg="allocate a new session-000046e9, tun_id=0.0.0.0"
id=20085 trace_id=177 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=177 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=177 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=177 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=178 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=178 func=init_ip_session_common line=6046 msg="allocate a new session-000046eb, tun_id=0.0.0.0"
id=20085 trace_id=178 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=178 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=178 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=178 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
soudwip ghosh
soudwip ghosh
Labels:
- Labels:
-
fortigate
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@fortinet Firewall has big malfunction if you have know about this solution please arrange a meeting.
soudwip ghosh
soudwip ghosh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @producttechlab ,
Can you check these two matters?
-Did you configure SNAT on your firewall policy?
-Do you have a valid route for that traffic?
Also, this platform is a community. Because of that, you can't arrange meetings via this platform. If you want to get support from Fortinet engineers, you can create a case via the support.fortinet.com website.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perimiter-FW-1 # config firewall policy
Perimiter-FW-1 (policy) # edit 1
Perimiter-FW-1 (1) # show
config firewall policy
edit 1
set name "all"
set uuid cdc38e82-127d-51ef-40ae-a82c017245ed
set srcintf "port1"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set nat enable
next
end
Perimiter-FW-1 (1) #
soudwip ghosh
soudwip ghosh
Created on 05-15-2024 03:07 AM Edited on 05-15-2024 03:12 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @producttechlab ,
Can you test access to your GW via FortigateCLI?
execute ping 192.168.56.2
After that can you test to ping 8.8.8.8 via FortiGate CLI?
execute ping-option source <PORT6_IP_ADDR>
execute ping 8.8.8.8
In my opinion, you cant reach your gw or your gw is not forwarding your traffic to the internet.
If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it
easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perimiter-FW-1 # execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 192.168.56.2 0.783 ms * 1.383 ms
2 * * *
3 192.168.1.1 1.621 ms 1.285 ms 1.073 ms
4 122.169.35.1 <abts-mh-dynamic-001.35.169.122.airtelbroadband.in> 12.471 ms 6.429 ms 5.899 ms
5 125.18.13.225 7.450 ms 6.276 ms 10.388 ms
6 182.79.142.222 50.427 ms 49.947 ms *
7 142.250.169.206 41.426 ms 70.014 ms 40.670 ms
8 142.250.208.105 51.252 ms 50.703 ms 51.635 ms
9 142.251.55.207 51.246 ms 50.443 ms 50.087 ms
10 8.8.8.8 <dns.google> 49.945 ms 50.250 ms 50.325 ms
Perimiter-FW-1 #
soudwip ghosh
soudwip ghosh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is not problem only internet problem also mpls side
soudwip ghosh
soudwip ghosh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem is traffic has not move to another interface or oposite side device
FW>>Internet
FW >>MPLS
Traffic has received from port1(Internally) but not forward mpls and internet.one more thing I am able to ping FW interface ip adress.
soudwip ghosh
soudwip ghosh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @producttechlab ,
From the logs you shared, I agree with @ozkanaltas , "you cant reach your gw or your gw is not forwarding your traffic to the internet. "
Please try to ping your gateway as suggested by @ozkanaltas (if ICMP is allowed).
You can also try to run a packet sniffer:
diag sniffer packet any "host 10.133.100.200 and (host 8.8.8.8 or host 192.168.56.2)" 4 0 l
Best regards,
---
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
If you have found a useful article or a solution, please like and accept it to make it easily accessible to others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perimiter-FW-1 # diag sniffer packet any "host 10.133.100.200 and (host 8.8.8.8 or host 192.168.56.2)" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.133.100.200 and (host 8.8.8.8 or host 192.168.56.2)]
2024-05-15 15:56:34.740801 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:34.853486 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:34.855606 port1 in 10.133.100.200.54896 -> 8.8.8.8.53: udp 28
2024-05-15 15:56:34.857338 port1 in 10.133.100.200.51735 -> 8.8.8.8.53: udp 28
2024-05-15 15:56:35.058590 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:35.749083 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:35.858281 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:36.062205 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:36.764766 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:36.874429 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:37.077477 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:38.780626 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:38.891836 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:39.078018 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:42.783625 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:42.893237 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:43.080281 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:45.062923 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:46.049826 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:47.061310 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:49.076062 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:53.080089 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:59.256727 port1 in 10.133.100.200 -> 192.168.56.2: icmp: echo request
2024-05-15 15:57:03.858861 port1 in 10.133.100.200 -> 192.168.56.2: icmp: echo request
2024-05-15 15:57:08.861434 port1 in 10.133.100.200 -> 192.168.56.2: icmp: echo request
soudwip ghosh
soudwip ghosh
Related Posts
- After authenticate on captive portal, show... 40 Views
- Strange routing issue for PPPoE interface... 69 Views
- FortiLAN Cloud - FortiSwitch Management IP 178 Views
- Geographical Location FRANCE denied forward by... 91 Views
- Reset fortigate 92 Views
Labels
-
fortigate
7,002 -
FortiClient
1,377 -
5.2
801 -
5.4
639 -
FortiManager
607 -
FortiAnalyzer
442 -
6.0
416 -
FortiAP
367 -
FortiSwitch
366 -
5.6
362 -
FortiClient EMS
285 -
FortiMail
272 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
170 -
6.4
128 -
FortiNAC
123 -
FortiGuard
112 -
IPsec
103 -
FortiGateCloud
92 -
SSL-VPN
92 -
FortiSIEM
91 -
FortiCloud Products
87 -
FortiToken
76 -
Customer Service
71 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
SD-WAN
43 -
Fortivoice
43 -
FortiEDR
42 -
FortiDNS
37 -
FortiExtender
36 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
FortiAuthenticator
30 -
High Availability
28 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
DNS
21 -
FortiConverter
21 -
BGP
19 -
FortiGate v5.2
19 -
SAML
18 -
FortiPortal
18 -
Certificate
18 -
FortiSwitch v6.2
17 -
LDAP
17 -
VDOM
16 -
FortiMonitor
14 -
Authentication
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
Fortigate Cloud
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
RADIUS
11 -
NAT
11 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Application control
9 -
Web profile
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
WAN optimization
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Web application firewall profile
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Static route
6 -
IPS signature
5 -
Packet capture
5 -
Proxy policy
5 -
FortiAP profile
5 -
Automation
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
Antivirus profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
Web rating
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
FortiDB
3 -
Intrusion prevention
3 -
Protocol option
2 -
FortiInsight
2 -
NAC policy
2 -
System settings
2 -
Users
2 -
FortiAI
2 -
VoIP profile
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
4.0MR1
1 -
TACACS
1 -
Subscription Renewal Policy
1 -
Replacement messages
1 -
FortiCWP
1 -
FortiNDR
1 -
Schedule
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
DLP sensor
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1026 | |
| 845 | |
| 495 | |
| 440 | |
| 145 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.