Skip to main content
tomeks
tomeks
New Member
January 25, 2022
Question

Fortigate asymmetric routing

  • January 25, 2022
  • 3 replies
  • 13078 views

Where in Fortigate can I observe that the connection has been blocked due to asymmetric routing? I can't see log entries.

3 replies

akristof
Staff
akristof
Staff
January 26, 2022

Hello,

 

Thank you for your question. You will not see explicit log related to asymmetric routing. You might see logs related to "No session match".  The best way how to confirm asymmetric routing is with debug flow:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connectivity/ta-p/192560

 

tomeks
tomeksAuthor
New Member
January 26, 2022

What I miss after the change from Barracuda to Fortigate is the lack of one place where I can see why the connection failed. Diagnose sniffer will also often fail to show traffic if it is performed by SPU

akristof
Staff
akristof
Staff
January 26, 2022

Hi.

 

Yes. But if traffic does not match any known session, then the packet is visible in packet capture or debug and in many scenarios, no-session-matched log is generated.

tomeks
tomeksAuthor
New Member
January 26, 2022

That is very bad. Sometimes the problem can arise when I do not have access to the fortigate.

Markus_M
Staff & Editor
Markus_M
Staff & Editor
January 28, 2022

If there is return traffic coming from some source, it will be dropped. As mentioned earlier, it will not match an existing session as it actually seems to match one, but the ingress interface is not matching. Forward traffic log for that policy should contain that log. Be aware that your policy logging setting must be set to "log all", UTM will not log the traffic.

tomeks
tomeksAuthor
New Member
January 28, 2022

I have full log enabled.
There is no information in diagnose debug that it assigned a link to a policy (even though such a policy exists). Probably logs nothing for this.

 

id=20085 trace_id=21 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, 192.168.129.10:1->192.168.133.10:2048) from vlan1. type=8, code=0, id=1, seq=10215."
id=20085 trace_id=21 func=init_ip_session_common line=5955 msg="allocate a new session-005c2ba9"
id=20085 trace_id=21 func=ip_route_input_slow line=2266 msg="reverse path check fail, drop"
id=20085 trace_id=21 func=ip_session_handle_no_dst line=6041 msg="trace"

Terms & ConditionsAccessibility statement