|
In this scenario, the packets show up on the sniffer but are not giving any details for the reason of drop when running debug flow.
When running the sniffer, the following can be seen:
FGT-1 # diagnose sniffer packet any 'net 172.16.0.0/16' 4 0 l
2022-03-01 17:39:50.344578 vlan11 in 172.16.0.10.59577 -> 20.42.73.24.443: udp 1250
2022-03-01 17:39:50.400449 vlan11 in 172.16.0.10 -> 8.8.8.8: icmp: echo request
2022-03-01 17:39:50.479703 vlan11 in 172.16.0.10.55182 -> 216.58.214.14.443: syn 191859534
2022-03-01 17:39:50.493458 vlan11 in 172.16.0.10.55183 -> 172.217.168.197.443: syn 2796426378
Traffic seems to be reaching FortiGate, however, it is not forwarded and getting dropped. When running the debug flows, nothing shows up on the FortiGate.
FGT-1 # diagnose debug flow filter addr 172.16.0.10
FGT-1 # diagnose debug flow show iprope enable
show trace messages about iprope
FGT-1 # diagnose debug flow trace start 10000
FGT-1 # diagnose debug enable
Interface configuration:
# config system interface
edit "port2"
set vdom "root"
set type physical
set snmp-index 4
next
edit "vlan11"
set vdom "root"
set ip 172.20.20.1 255.255.255.0
set allowaccess ping
set device-identification enable
set role lan
set snmp-index 25
set interface "port2"
set vlanid 11
next
end
It is advised to perform a capture directly on the physical port of the FortiGate and check the details in Wireshark.
FGT-1 # diagnose sniffer packet port2 ' ' 6 0 l
or
Packet capture can be done directly from GUI without any filters.
MAC address for the ports on FGT is as follows:
port2 Link encap:Ethernet HWaddr 00:09:0F:09:0A:03
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:4108985318 errors:0 dropped:0 overruns:0 frame:0
TX packets:3904232748 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3440494342753 (3204.2 GB) TX bytes:2079767696273 (1936.9 GB)
vlan11 Link encap:Ethernet HWaddr 00:09:0F:09:0A:03
inet addr:172.20.20.1 Bcast:172.20.20.255 Mask:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:613875 errors:0 dropped:0 overruns:0 frame:0
TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:42956847 (40.10 MB) TX bytes:640 (640 Bytes)
In the wireshark capture, the details show up as follow:
Ethernet II, Src: xxxx (xx:xx:xx:xx:xx:xx), Dst: Fortinet_09:0a:0a (00:09:0f:09:0a:0a)
Destination: Fortinet_09:0a:0a (00:09:0f:09:0a:0a)
Address: Fortinet_09:0a:0a (00:09:0f:09:0a:0a)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: xxx (xx:xx:xx:xx:xx:xx)
Address: xxxx (xx:xx:xx:xx:xx:xx)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 11
Internet Protocol Version 4, Src: 172.20.20.1, Dst: 20.42.73.24
Transmission Control Protocol, Src Port: 59577, Dst Port: 443, Seq: 0, Len: 0
The destination MAC address for this packet should be 00:09:0F:09:0A:03, however, the connecting device is forwarding the packet on the wrong port with the wrong MAC address 00:09:0f:09:0a:0a because of which packets are getting dropped.
This needs to be further verified on the connecting device as to why the packets are being sent with the wrong MAC address. It could be that it is using the MAC address of the wrong interface or using the MAC address for an old FortiGate/device connected.
|
