Technical Tip: Enable security mode on extintf will make Virtual IP not working

tonylin1 · ‎01-04-2023

Description

This article describes how enabling security mode on extinct will make Virtual IP not work.

Scope

Solution

Topology of Virtual IP:

2.2.2.245 ---> 2.2.2.220(port2)FGT(port3) 3.3.3.244 ---> 3.3.3.243

Configuration of Virtual IP:

# config system interface
edit "port2"
set vdom "root"
set ip 2.2.2.244 255.255.255.0
set allowaccess ping fabric
set type physical
set snmp-index 2
next
end

# config firewall vip
edit "port2_VIP"
set uuid 825807aa-8b35-51ed-c0f4-9bdf16054d79
set extip 2.2.2.200
set mappedip "3.3.3.243"
set extintf "port2"
set portforward enable
set protocol icmp
next
end

# config firewall policy
edit 1
set uuid 999b1b82-8b35-51ed-c0e3-3fc427d764cb
set srcintf "port2"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "port2_VIP"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

Debug the flow when it is not working:

id=65308 trace_id=11 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 2.2.2.245:2048->2.2.2.200:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2048, seq=0."
id=65308 trace_id=11 func=init_ip_session_common line=6073 msg="allocate a new session-000128a6, tun_id=0.0.0.0"
id=65308 trace_id=11 func=get_new_addr line=1228 msg="find DNAT: IP-3.3.3.243, port-2048"
id=65308 trace_id=11 func=fw_pre_route_handler line=178 msg="VIP-3.3.3.243:2048, outdev-port2"
id=65308 trace_id=11 func=__ip_session_run_tuple line=3523 msg="DNAT 2.2.2.200:8->3.3.3.243:2048"
id=65308 trace_id=11 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-3.3.3.243 via port3"
id=65308 trace_id=11 func=fw_forward_handler line=918 msg="Allowed by Policy-1:"

If security-mode captive-portal on port2 is set up, VIP will not work:

# config system interface
edit "port2"
set vdom "root"
set ip 2.2.2.244 255.255.255.0
set allowaccess ping fabric
set type physical
set security-mode captive-portal
set snmp-index 2
next
end

Debug flow:

id=65308 trace_id=14 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=1, 2.2.2.245:2304->2.2.2.200:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=2304, seq=0."
id=65308 trace_id=14 func=init_ip_session_common line=6073 msg="allocate a new session-0001294a, tun_id=0.0.0.0"
id=65308 trace_id=14 func=get_new_addr line=1228 msg="find DNAT: IP-3.3.3.243, port-2304"
id=65308 trace_id=14 func=fw_pre_route_handler line=178 msg="VIP-3.3.3.243:2304, outdev-port2"
id=65308 trace_id=14 func=__ip_session_run_tuple line=3523 msg="DNAT 2.2.2.200:8->3.3.3.243:2304"
id=65308 trace_id=14 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-3.3.3.243 via port3"
id=65308 trace_id=14 func=fw_forward_handler line=753 msg="Denied by forward policy check (policy 0)"