# get router info routing-table ospfThe machine behind FortiGate 1 was unable to reach destination because of the msg=”reverse path check fail, drop”.
Routing table for VRF=0
O 10.26.20.13/32 [110/200] via 10.10.1.2, IPSec_Tunnel, 06:32:44
id=20085 trace_id=4216 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.247.2.52:1->10.26.20.13:2048) from port4. type=8, code=0, id=1, seq=9060."
id=20085 trace_id=4216 func=init_ip_session_common line=5871 msg="allocate a new session-016745ba"
id=20085 trace_id=4216 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-10.10.1.2 via IPSec_Tunnel"
id=20085 trace_id=4216 func=fw_forward_handler line=796 msg="Allowed by Policy-26: SNAT"
id=20085 trace_id=4216 func=__ip_session_run_tuple line=3478 msg="SNAT 10.247.2.52->172.16.53.52:60417"
id=20085 trace_id=4216 func=ipd_post_route_handler line=490 msg="out IPSec_Tunnel vwl_zone_id 0, state2 0x0, quality 0.
FortiGate 2:
# id=20085 trace_id=47 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 172.16.53.52:60417->10.26.20.13:2048) from IPSec_Tunnel. type=8, code=0, id=60417, seq=9060."
id=20085 trace_id=47 func=init_ip_session_common line=5534 msg="allocate a new session-001d1e6e"
id=20085 trace_id=47 func=ip_route_input_slow line=2242 msg="reverse path check fail, drop"
id=20085 trace_id=47 func=ip_session_handle_no_dst line=5609 msg="trace" next
# config router static2) From FortiGate 1, enable redistribute static under OSPF configuration.
edit 0
set dst 172.16.52.0 255.255.252.0
set blackhole enable
next
end
# config router ospfNote.
# config redistribute "static"
set status enable
end
end
# get router info routing-table ospfTesting Scenario 2: Ping from Loopback interface IP in FortiGate 2 to the host behind FortiGate 1.
O E2 172.16.52.0/22 [110/10] via 10.10.1.1, IPSec_Tunnel, 00:04:46
# id=20085 trace_id=88 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 172.16.53.52:60417->10.26.20.13:2048) from IPSec_Tunnel. type=8, code=0, id=60417, seq=9085."
id=20085 trace_id=88 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-001d53f6, original direction"
id=20085 trace_id=89 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 10.26.20.13:60417->172.16.53.52:0) from local. type=0, code=0, id=60417, seq=9085."
id=20085 trace_id=89 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-001d53f6, reply direction"
id=20085 trace_id=89 func=ipsecdev_hard_start_xmit line=640 msg="enter IPsec interface-IPSec_Tunnel"
id=20085 trace_id=89 func=esp_output4 line=895 msg="IPsec encrypt/auth"
Note: Now that FortiGate 2 knows how to route back to the source IP, the problem was solved.
# execute ping-options source 10.26.20.13FortiGate 1.
# execute ping 172.16.53.52
PING 172.16.53.52 (172.16.53.52): 56 data bytes
64 bytes from 172.16.53.52: icmp_seq=0 ttl=127 time=1.7 ms
64 bytes from 172.16.53.52: icmp_seq=1 ttl=127 time=1.6 ms
64 bytes from 172.16.53.52: icmp_seq=2 ttl=127 time=1.7 ms
64 bytes from 172.16.53.52: icmp_seq=3 ttl=127 time=1.7 ms
64 bytes from 172.16.53.52: icmp_seq=4 ttl=127 time=1.7 ms
--- 172.16.53.52 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 1.6/1.6/1.7 ms
# get router info routing-table allNote.
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
C 10.10.1.0/30 is directly connected, IPSec_Tunnel
C 10.10.1.1/32 is directly connected, IPSec_Tunnel
O 10.26.20.13/32 [110/200] via 10.10.1.2, IPSec_Tunnel, 00:09:25
C 10.247.0.0/22 is directly connected, port4
S 172.16.52.0/22 [10/0] is a summary, Null
# id=20085 trace_id=4288 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.26.20.13:2560->172.16.53.52:2048) from IPSec_Tunnel. type=8, code=0, id=2560, seq=0."
id=20085 trace_id=4288 func=init_ip_session_common line=5871 msg="allocate a new session-0167a822"
id=20085 trace_id=4288 func=fw_pre_route_handler line=182 msg="VIP-10.247.2.52:2560, outdev-unknown"
id=20085 trace_id=4288 func=__ip_session_run_tuple line=3492 msg="DNAT 172.16.53.52:8->10.247.2.52:2560"
id=20085 trace_id=4288 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.247.2.52 via port4"
id=20085 trace_id=4288 func=fw_forward_handler line=796 msg="Allowed by Policy-27:"
id=20085 trace_id=4288 func=ipd_post_route_handler line=490 msg="out port4 vwl_zone_id 0, state2 0x0, quality 0.
"
id=20085 trace_id=4289 func=print_pkt_detail line=5700 msg="vd-root:0 received a packet(proto=1, 10.247.2.52:2560->10.26.20.13:0) from port4. type=0, code=0, id=2560, seq=0."
id=20085 trace_id=4289 func=resolve_ip_tuple_fast line=5781 msg="Find an existing session, id-0167a822, reply direction"
id=20085 trace_id=4289 func=vf_ip_route_input_common line=2584 msg="find a route: flag=04000000 gw-10.10.1.2 via IPSec_Tunnel"
id=20085 trace_id=4289 func=npu_handle_session44 line=1160 msg="Trying to offloading session from port4 to IPSec_Tunnel, skb.npu_flag=00000000 ses.state=00004200 ses.npu_state=0x03040000"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.