Technical Tip: Hit and Bytes count does not increment in Policy-based VPN

smaruvala · ‎07-07-2024

Description

This article describes why the policy is not updating the hit and bytes count in a policy-based VPN.

Scope

Policy-based VPN.

Solution

The firewall is configured with a policy-based VPN with the 'set inbound enable' command. Below is an example of the configuration:

config firewall policy
edit 1
set name "Site-A"
set uuid 6646e208-1030-51ef-6c5d-b7df2786104d
set srcintf "Internal"
set dstintf "Untrust"
set action ipsec
set srcaddr "DC_Subnet"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set inbound enable
set vpntunnel "Site-A"
next
end

edit "DC_Subnet"
set uuid 5879acb0-102f-51ef-669a-b065daedab43
set subnet 10.186.0.0 255.255.240.0
next

Even though, the traffic matches the policy hit counts and byte counts shows does not increase.

Session details show the traffic is originating from the destination side. As the 'set inbound enable' is configured the traffic matches the same policy for VPN communication.

session info: proto=1 proto_state=00 duration=47 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/Site-A tun_id=0.0.0.0/10.8.11.129 vlan_cos=0/255
state=log re may_dirty npu f00
statistic(bytes/packets/allow_err): org=58944/48/1 reply=58944/48/1 tuples=2
tx speed(Bps/kbps): 1236/9 rx speed(Bps/kbps): 1236/9
orgin->sink: org pre->post, reply pre->post dev=4->6/6->4 gwy=0.0.0.0/10.8.11.129
hook=pre dir=org act=noop 10.203.15.66:1->10.186.15.68:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.186.15.68:1->10.203.15.66:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=15747 auth_info=0 chk_client_info=0 vd=0
serial=009e25f2 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x2000100
npu info: flag=0x00/0x82, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason:
ofld_fail_reason(kernel, drv): none/not-established, none(0)/none(0)
npu_state_err=00/04
total session 1

As the traffic is coming to the firewall is the reverse direction to that of the policy the Hit and Byte counts will increase in iprope group 00100003. See the Technical Tip: Iprope policies group for the iprope group information.

Hub # diagnose firewall iprope show 00100003 1
idx:1
pkts:1244 (1244 0 0 0 0 0 0 0)
bytes:1527632 (1527632 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:6 (6 0 0 0 0 0 0 0)
first hit:2024-07-01 09:33:42 last hit:2024-07-01 09:36:09

Hub # diagnose firewall iprope show 00100003 1
idx:1
pkts:1250 (1250 0 0 0 0 0 0 0)
bytes:1535000 (1535000 0 0 0 0 0 0 0)
asic_pkts:0 (0 0 0 0 0 0 0 0)
asic_bytes:0 (0 0 0 0 0 0 0 0)
flag:0x0
hit count:6 (6 0 0 0 0 0 0 0)
first hit:2024-07-01 09:33:42 last hit:2024-07-01 09:36:09

The FortiGate GUI does not pull the hit count and bytes information from iprope group 00100003. Due to this the hit count and byte count will not increment in the policy.
The issue was fixed in v7.2.9, v7.4.5 and v7.6.1.

Technical Tip: Hit and Bytes count does not increment in Policy-based VPN

You are leaving our website