VPN-IPsec: 137/udp

Since there is no predefined service for UDP/137, you must first create one. Make sure the source port range is 1024-65535. Next, add this service to the policy allowing that particular traffic in/out through the policy. If you read that message, it states policy 0 (zero). That means implicitly, it' s denied.

2012-05-25 23:58:46 log_id=0038000007 type=traffic subtype=other pri=warning status=deny vd=" root" src=192.168.1.112 srcname=192.168.1.112 src_port=137 dst=192.168.1.255 dstname=192.168.1.255 dst_country=" Reserved" src_country=" Reserved" dst_port=137 service=137/udp proto=17 app_type=N/A duration=0 rule=0 policyid=0 identidx=0 sent=0 rcvd=0 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" N/A" shaper_rcvd_name=" N/A" perip_name=" N/A" vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" internal" dst_int=" root" SN=27715 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" msg=" iprope_in_check() check failed, drop" carrier_ep=" N/A" profilegroup=" N/A" subapp=" N/A" subappcat=" N/A"

Thanks for the information! Custom service was added Name: UDP/137,138 Protocol Type: TCP/UDP/SCTP Protocol: UDP Source port: Low 1024 High 65535 Destination Port: Low 137 High 138 New Policy was added before the generic policies Source Interface/Zone: any Source Address: all Destination Interface/Zone: any Destination Address: all Schedule: always Service: UDP/137,138 Action: Accept Log Allowed Traffic: enabled Enable NAT: enabled Still 137/udp packets are not going through the Fortigate. What might be still incorrect in the configuration? Thanks liam3w

We can only guess why it' s being dropped; diag debug flow is your friend diag debug enable diag debug flow flitter port 137 diag debeg flow show console enable diag debug flow trace start 1000 It should give you a clue as to what to look at next, but it' s probably a firewallpolicy or maybe pbr taking place if you have any pbr routing. also to add, that log shows it as some type of broadcast packet which is what 137 is typically used for and netbios lookup. So I bet you that ttl is probably not set and more importantly, your not going to get a netbios packet to look up a host via a vpn tunnel. You probably need to build dns/wins zones between local/remote subnets on either side of the tunnels imho

Thanks for the help! Here is the debug log, does it give any further hints what to try next: FG80CM3909605232 # id=36871 trace_id=1 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=1 msg=" allocate a new session-00002ac2" id=36871 trace_id=1 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=2 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=2 msg=" allocate a new session-00002ac3" id=36871 trace_id=2 msg=" find a route: gw-192.168.1.255 via root" id=36871 trace_id=2 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=3 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=3 msg=" allocate a new session-00002ac4" id=36871 trace_id=3 msg=" find a route: gw-192.168.1.255 via root" id=36871 trace_id=3 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=4 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=4 msg=" allocate a new session-00002ac6" id=36871 trace_id=4 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=5 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=5 msg=" allocate a new session-00002ac7" id=36871 trace_id=5 msg=" find a route: gw-192.168.1.255 via root" id=36871 trace_id=5 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=6 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=6 msg=" allocate a new session-00002ac8" id=36871 trace_id=6 msg=" find a route: gw-192.168.1.255 via root" id=36871 trace_id=6 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=7 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=7 msg=" allocate a new session-00002aca" id=36871 trace_id=7 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=8 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=8 msg=" allocate a new session-00002acb" id=36871 trace_id=8 msg=" find a route: gw-192.168.1.255 via root" id=36871 trace_id=8 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=9 msg=" vd-root received a packet(proto=17, 192.168.1.111:137->192.168.1.255:137) from internal." id=36871 trace_id=9 msg=" allocate a new session-00002acc" id=36871 trace_id=9 msg=" find a route: gw-192.168.1.255 via root" id=36871 trace_id=9 msg=" iprope_in_check() check failed, drop" Thanks liam3w

Did you read what I posted earlier? This is a broadcast packet and netbios. It' s not going thru the tunnel as-if. 192.168.1.111:137->192.168.1.255:137 To learn about this type of error;

iprope_in_check() check failed, drop

http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=FD31702