New Member

Question

What am I missing here?

Forum|Forum|12 years ago
May 7, 2014
8 replies
10531 views

I am trying to access a machine that is plugged into Port 6 of my 300C (5.0.7) from a Lan Aggregate port setup. For the life of me I cannot figure out why it isn' t working. I have the policy to allow traffic from the Lann Agg to Port 6, and a policy route so the traffic know where to go. When I try to connect nothing happens and the debug flow looks like this: ADFG16 # id=13 trace_id=468 msg=" vd-root received a packet(proto=17, 10.1.10.106:138->10.1.10.255:138) from port6." id=13 trace_id=468 msg=" allocate a new session-016914b0" id=13 trace_id=468 msg=" find a route: gw-10.1.10.255 via root" id=13 trace_id=468 msg=" iprope_in_check() check failed, drop" id=13 trace_id=469 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=469 msg=" allocate a new session-01691627" id=13 trace_id=469 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=469 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=469 msg=" iprope_in_check() check failed, drop" id=13 trace_id=470 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=470 msg=" allocate a new session-016916d1" id=13 trace_id=470 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=470 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=470 msg=" iprope_in_check() check failed, drop" id=13 trace_id=471 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=471 msg=" allocate a new session-01691730" id=13 trace_id=471 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=471 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=471 msg=" iprope_in_check() check failed, drop" id=13 trace_id=472 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=472 msg=" allocate a new session-016917f6" id=13 trace_id=472 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=472 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=472 msg=" iprope_in_check() check failed, drop" id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=473 msg=" allocate a new session-01692af5" id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=473 msg=" iprope_in_check() check failed, drop" id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=474 msg=" allocate a new session-01692b61" id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=474 msg=" iprope_in_check() check failed, drop" id=13 trace_id=475 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=475 msg=" allocate a new session-01692c01" id=13 trace_id=475 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=475 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=475 msg=" iprope_in_check() check failed, drop" This is got to be something simple, but after hours of staring I' m just going cross-eyed.

emnoc

New Member

Can you explain your PBR design and how/were the ip_address of 10.1.10.1 sits in this design ? Also the " http://kb.fortinet.com/kb/viewContent.do?externalId=FD31702&sliceId=1" will help understand some of the common drops, but iprope_in check is normally when trying to access something local on the firewall and is not allowed or restricted i.e ssh sslvpn etc....... How this ( error ) plays in you design, is unclear until we see your pbr and/or better yet a topology map. My hunch is your PBR is to some other interface on the 300C? But I' m 100% clear on what the LAN_aggr and port6 interfaces are doing, nor what your doing exactly with PBR or why you need it.

Jeff_the_Network_GuyAuthor

New Member

The 10.1.10.0 is on Port six of the 300C. It contains three servers that connect to the Internet but not to my Production LAN (LAN_Aggr). I want to be able to RDP from the Production network to the servers though, so I can perform administrative maintenance. Before I added the PBR any attempt to reach the 10.1.10.0 network from LAN_Aggr went out the primary internet connection. I have several PBRs due to a need to use a certain Internet connection (IP) for specific sites, and the other connection for everything else. Here are the routes and the policy: config router policy edit 23 set input-device " LAN_Aggr" set src 192.168.0.0 255.255.252.0 set dst 10.1.10.0 255.255.255.0 set gateway 10.1.10.1 set output-device " port6" next edit 20 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 208.86.144.199 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " ECL via Exp" next edit 21 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 63.86.112.248 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " EStaff via Exp" next edit 22 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 67.104.186.15 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " FTP for N24 via Exp" next edit 18 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 72.159.68.196 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " AmEmp website via Exp" next edit 2 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set gateway 24.123.126.33 set output-device " port3" set comments " PC Traffic to TWC" next edit 3 set input-device " LAN_Aggr" set src 192.168.0.0 255.255.255.0 set gateway 209.221.7.97 set output-device " port1" set comments " Server traffic to EXP" next edit 16 set input-device " LAN_Aggr" set src 192.168.120.0 255.255.255.0 set gateway 24.123.126.33 set output-device " port3" set comments " Send IT PCs to TWC" next edit 17 set input-device " LAN_Aggr" set src 192.168.130.0 255.255.255.0 set gateway 24.123.126.33 set output-device " port3" set comments " Send DEV PCs to TWC" next end config firewall policy edit 44 set srcintf " LAN_Aggr" set dstintf " port6" set srcaddr " LAN_HQ" set dstaddr " STM" set action accept set schedule " always" set service " ALL_ICMP" " RDP" set logtraffic all next end STM is an Address object of type Subnet 10.1.10.0/24 The PBR abbreviation took me a minute, I was totally thinking of Pabst Blue Ribbon Beer. I think I' m working too much.

Jeff_the_Network_GuyAuthor

New Member

Staring at this again, do I need a PBR to get the traffic back from Port6 to LAN_Aggr?

emnoc

New Member

Sorry about my use of the PBR abbr. But now I see you issues Qs; Is LAN_Aggr a direct connected interface & local to the foritigate firewall Can you give us a view of your route tables get router info routing-table connected and get router info routing-table all and get router info policy And yes I don' t think you need PBR in this case. if you remove the pbr policies what happens and what does your diag debug flow show?

Jeff_the_Network_GuyAuthor

New Member

ADFG16 # get router info routing-table connected C 10.1.1.0/24 is directly connected, VisitorWIFI C 10.1.10.0/24 is directly connected, port6 C 10.10.1.0/24 is directly connected, port5 C 10.20.30.0/24 is directly connected, EmployeeDevices C XXX.XXX.XXX.32/27 is directly connected, port3 C 172.16.0.0/24 is directly connected, Aethernet C 172.16.10.0/24 is directly connected, AppleTV C 192.168.0.0/22 is directly connected, LAN_Aggr is directly connected, LAN_Aggr C 192.168.89.0/24 is directly connected, port9 C 192.168.100.0/24 is directly connected, port2 C XXX.XXX.XXX.96/28 is directly connected, port1 ADFG16 # ADFG16 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via XXX.XXX.XXX.97, port1 [10/0] via XXX.XXX.XXX.33, port3, [30/0] C 10.1.1.0/24 is directly connected, VisitorWIFI C 10.1.10.0/24 is directly connected, port6 C 10.10.1.0/24 is directly connected, port5 C 10.20.30.0/24 is directly connected, EmployeeDevices C XXX.XXX.XXX.32/27 is directly connected, port3 C 172.16.0.0/24 is directly connected, Aethernet C 172.16.10.0/24 is directly connected, AppleTV C 192.168.0.0/22 is directly connected, LAN_Aggr is directly connected, LAN_Aggr C 192.168.89.0/24 is directly connected, port9 C 192.168.100.0/24 is directly connected, port2 S 192.168.120.0/24 [10/0] via 192.168.0.20, LAN_Aggr S 192.168.130.0/24 [10/0] via 192.168.0.20, LAN_Aggr S 192.168.200.0/24 [10/0] via 192.168.3.1, LAN_Aggr C XXX.XXX.XXX.96/28 is directly connected, port1 ADFG16 # ADFG16 # get router info policy command parse error before ' policy' Command fail. Return code -61 I removed the PBR and tried to access one of the servers via RDP: ADFG16 # ADFG16 # diag debug enable ADFG16 # diag debug flow show console enable show trace messages on console ADFG16 # diag debug flow filter add 10.1.10.106 ADFG16 # diag debug flow start 100 ADFG16 # diag debug flow trace start 100 ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=668 msg=" allocate a new session-017a5d5d" id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10" id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1" id=13 trace_id=668 msg=" use addr/intf hash, len=9" id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556" id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT" id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" id=13 trace_id=669 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=669 msg=" Find an existing session, id-017a5d5d, original direction" id=13 trace_id=669 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" id=13 trace_id=670 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=670 msg=" Find an existing session, id-017a5d5d, original direction" id=13 trace_id=670 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" I just noticed the traffic to XXX.XXX.XXX.105. That would be the IP of Port 1 and the upstream router is .97

emnoc

New Member

What? You don' t need PBR in this case. What' s the address of the client 192.168.0.241? and is going to a host on port 6? if yes; Then you don' t need PBR , you don' t need SNAT.

Jeff_the_Network_GuyAuthor

New Member

192.168.0.241 is my PC on the LAN_AGGR network (192.168.0.0/255.255.252.0) The SNAT is coming from Policy #9, which is the policy that allows my PC Internet access. When I go out to the Internet, I am NATed as the address of PORT1. That is why I put in the PBR because I thought my PC didn' t know how to reach 10.1.10.106. I can ping 10.1.10.1 with or without the PBR.

emnoc

New Member

Don' t known why you think you need pbr , but what I would do is strike the policy-router statement. A recreate a firewall policy that Actually allow traffic from " LAN_Aggr " to " Port6" no nat. e.g ( this looks good ) edit 44 set srcintf " LAN_Aggr" set dstintf " port6" set srcaddr " LAN_HQ" set dstaddr " STM" <---- is the correct destination host set action accept set schedule " always" set service " ALL_ICMP" " RDP" set logtraffic all next end For the pbr policy #23 I would remove that policy; config router policy delete 23 Like i mention b4, I question your use of PBR. I don' t see how you think you need it. The Policy that allows traffic from your inside to outside and SNAT has nothing or should have nothing todo with traffic to port6.

Jeff_the_Network_GuyAuthor

New Member

I only added the policy route after I determined that when I tried to access the 10.1.10.0 network on Port 6 from the LAN_Aggr (192.168.0.0) my traffic was being routed out the primary WAN connection (port1) Before PBR: ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=668 msg=" allocate a new session-017a5d5d" id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10" id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1" id=13 trace_id=668 msg=" use addr/intf hash, len=9" id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556" id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT" id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" After PBR: id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=473 msg=" allocate a new session-01692af5" id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=473 msg=" iprope_in_check() check failed, drop" id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=474 msg=" allocate a new session-01692b61" id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=474 msg=" iprope_in_check() check failed, drop"

emnoc

New Member

Once again, do you have a fwpolicy for traffic from the LAN_agr network & to the Port6? That before trace shows traffic SNAT and sent out of port1 . I' m assuming Port1 is your wan-uplink.

Jeff_the_Network_GuyAuthor

New Member

ADFG16 (policy) # edit 44 ADFG16 (44) # show config firewall policy edit 44 set srcintf " LAN_Aggr" set dstintf " port6" set srcaddr " LAN_HQ" set dstaddr " STM" set action accept set schedule " always" set service " ALL" set logtraffic all next end ADFG16 (44) # LAN_HQ is 192.168.0.0/255.255.252.0 STM is 10.1.10.0/255.255.255.0 It is essentially like the Fortigate is not routing or not aware of its own interfaces.

emnoc

New Member

Things to look at? Does the host seems ping from the firewall directly? Is the netmask correct on the host ? is the service enabled on that host ? Does diag debug flow show you matching fwpolicy id #44 now? Do you have any other fwpolicies ahead of it that might be blocking? Have you tried to move the fwpolicy id #44 ahead of everything else? fwiw: if the network is directly connected, than the firewall knows about that network

netmin

New Member

... and take a look at policy route #3 - it is forcing part (/24) of the LAN_HQ traffic out to port1 - including the IP .241

Jeff_the_Network_GuyAuthor

New Member

Netmin: You' re right about policy route three, it is intentional. We want all undefined traffic from 192.168.0.0 to go out one WAN, and all traffic from 192.168.[1-3].0 to got out a different WAN connection.

netmin

New Member

Jeff, pbr #3 is the reason your all your traffic intended for port6 is snat' d to an external ip on port1 instead of being routed to port6. It looks like port1 is your default route candidate, so pbr #3 should not be required. In your previous configuration, pbr #23 took precedence over pbr #3. However in pbr #23 you specified 10.1.10.1 as next hop gateway (outside the fortigate), but actually 10.1.10.1 appears to be the interface ip of port6, hence the iprope_in_check message - like an attempt to force the fortigate to be it' s own next hop gateway. Without pbr #3 and without pbr #23 it should be working fine - with correct firewall policies in place.

Jeff_the_Network_GuyAuthor

New Member

Gah! You' re right Netmin. I removed the two PBRs (#3 & #23) and it all started working. I was trying to get too cute. I had too many PBRs because I was trying to make sure certain traffic went to certain WAN interfaces without thinking about my default route.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded