Skip to main content
nshar
nshar
New Member
November 14, 2021
Question

FortiGate - Not forwarding traffic

  • November 14, 2021
  • 3 replies
  • 9407 views

Having an issue with FGT-v6-build1911 running in KVM. Running this under a trial license for some lab builds and training purposes.

 

When I create a new instance traffic passes for a short amount of time and I can see route lookup and policy lookups taking place. Then after some time flows get stuck at route lookup and no traffic is able to pass the FW. Example of a flow trace when this happens:

 

id=20085 trace_id=2 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id=" id=20085 trace_id=2 func=init_ip_session_common line=5898 msg="allocate a new session-00001632" id=20085 trace_id=2 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3" id=20085 trace_id=3 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id=" id=20085 trace_id=3 func=init_ip_session_common line=5898 msg="allocate a new session-00001636" id=20085 trace_id=3 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3"

 

Only workaround I have is to backup the config and restore it to a new instance which allows traffic to pass through again for some limited amount of time. I've tried clearing all sessions with no luck.

 

Any help would be appreciated. I can only think it's a bug with my setup or a limitation with the trial license I'm not aware of.

 

    3 replies

    A
    Anonymous_User
    New Contributor III
    November 17, 2021

    hi @nshar

    Please share me the output for,

    diag sniffer packet any "host x.x.x.x" 4 0 a
    replace x.x.x.x with destination IP and try to the destination and share the output

      Debbie_FTNT
      Staff & Editor
      Debbie_FTNT
      Staff & Editor
      November 17, 2021

      Hey @nshar,

      thank you for sharing that debug flow snippet.

      This is ICMP traffic (a ping?), correct? Do you have the same issue with other traffic? How long does it roughly take for the FortiGate to stop forwarding the traffic?


      I would suggest you check the following:

      - dia sniffer output, as @Anonymous suggested, to verify if traffic is leaving the FortiGate and perhaps being dropped somewhere behind it
      - DoS policies on the FortiGate, if you have them enabled -> they could cause ping to be dropped after a certain threshold is reached
      - any forward traffic logs you have, to see if the traffic is denied for some reason or dropped by implicit deny

      -> you might need to enable logging on implicit deny (right-click on the log setting for implicit deny in the policy table, then select 'All' and save)
      -> debug flow might show some information regarding traffic being denied or dropped by implicit deny; if nothing is visible in debug flow, this suggests the issue might not be with policy matching but something else


      A rough guide for initial troubleshooting for potentially blocked traffic may be found here: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Initial-troubleshooting-steps-for-traffic/ta-p/190456?externalID=FD52022

       

      Hope this helps :)

        QNET
        QNET
        New Member
        December 13, 2023

        I have same problem...the traffic not even logged...I did enabled log on denied rule and allow rule but no log.

        From my PC can ping the WAN interface of the FGT that is it.

         

        Terms & ConditionsAccessibility statement