| Description |
This article describes the case when it is impossible to use RustDesk from outside to connect RustDesk behind a FortiGate unit.
In the case of having one RustDesk application behind the FortiGate unit and another RustDesk application outside the FortiGate unit and trying to connect to RustDesk behind the FortiGate unit, it can not connect as expected.
Make sure to download the Rustdesk application with the same location at https://rustdesk.com.
 |
| Scope | FortiGate v7.2.x. |
| Solution |
To investigate further, consider running the debug flow at the FortiGate unit to filter the public IP address of RustDesk outside the FortiGate unit to see how the packets flow between the FortiGate unit and the RustDesk outside the FortiGate unit.
Following the debugging as below, RustDesk application is installed on a Windows PC outside the FortiGate unit with the public IP address 215.15.15.15.
At CLI command of FortiGate unit.
FGT # diagnose debug disable FGT # diagnose debug reset FGT # diagnose debug flow filter clear FGT # diagnose debug flow trace stop
FGT # diagnose debug flow filter addr 215.15.15.15 FGT # diagnose debug flow show function-name enable FGT # diagnose debug flow trace start 959595 FGT # diagnose debug console timestamp enable FGT # diagnose debug enable FGT #
To stop debugging :
FGT # diagnose debug disable FGT # diagnose debug reset
It is possible to get one part of the debugging logs as below:
2023-09-15 15:54:04 id=65359 trace_id=6452 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 215.15.15.15:55895->45.45.45.45:62595) tun_id=0.0.0.0 from NET-M. flag [.], seq 2645455565, ack 4241457965, win 1026" 2023-09-15 15:54:04 id=65359 trace_id=6452 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-0199030a, reply direction" 2023-09-15 15:54:04 id=65359 trace_id=6452 func=tcp_anti_reply line=1116 msg="replay packet(seq_check), suspicious" 2023-09-15 15:54:04 id=65359 trace_id=6452 func=ip_session_core_in line=6639 msg="anti-replay check fails, drop" 2023-09-15 15:54:05 id=65359 trace_id=6453 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 192.168.1.145:62595->215.15.15.15:55895) tun_id=0.0.0.0 from lan. flag [S.], seq 4261657965, ack 2645455565, win 65535" 2023-09-15 15:54:05 id=65359 trace_id=6453 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-0199030a, original direction" 2023-09-15 15:54:05 id=65359 trace_id=6453 func=npu_handle_session44 line=1194 msg="Trying to offloading session from lan to NET-M, skb.npu_flag=00000000 ses.state=01000204 ses.npu_state=0x04000001" 2023-09-15 15:54:05 id=65359 trace_id=6453 func=fw_forward_dirty_handler line=414 msg="state=01000204, state2=00000001, npu_state=04000001" 2023-09-15 15:54:05 id=65359 trace_id=6453 func=__ip_session_run_tuple line=3510 msg="SNAT 192.168.1.145->45.45.45.45:62595" 2023-09-15 15:54:05 id=65359 trace_id=6454 func=print_pkt_detail line=5892 msg="vd-root:0 received a packet(proto=6, 215.15.15.15:55895->45.45.45.45:62595) tun_id=0.0.0.0 from NET-M. flag [.], seq 2645455565, ack 4241457965, win 4745" 2023-09-15 15:54:05 id=65359 trace_id=6454 func=resolve_ip_tuple_fast line=5980 msg="Find an existing session, id-0199030a, reply direction" 2023-09-15 15:54:05 id=65359 trace_id=6454 func=tcp_anti_reply line=1116 msg="replay packet(seq_check), suspicious" 2023-09-15 15:54:05 id=65359 trace_id=6454 func=ip_session_core_in line=6639 msg="anti-replay check fails, drop"
To fix the issue.
It is possible to check which firewall policy ID the testing PC with the RustDesk application behind FortiGate uses to access to the Internet at the FortiGate unit. Then run the following CLI commands on that firewall policy ID as below.
At CLI command of FortiGate unit.
FGT # config firewall policy
XX is the firewall policy ID that the PC with the RustDesk application uses to access to Internet.
Then test using RustDesk from outside to connect to RustDesk behind the FortiGate unit again. It should be able to use RustDesk as expected after that. |
