| Solution |
In this example below are the settings used:
SSLVPN port:10443
Ext IP: 10.47.18.106
User name: Test
For testing purposes, use a Geo-Location object to allow the country Argentina and block all other countries' connections.
Geo-Location has been enabled as per the screenshot:
When trying SSL VPN, the connection was not successful as the connection is being attempted from a different region than the one being allowed.
In the debug flow, it is possible to see the following output:
SPoke1 # id=65308 trace_id=101 func=print_pkt_detail line=5885 msg="vd-root:0 received a packet(proto=6, 10.232.0.2:61093->10.47.18.106:10443) tun_id=0.0.0.0 from port2. flag [S], seq 1156996435, ack 0, win 64240"
id=65308 trace_id=101 func=init_ip_session_common line=6071 msg="allocate a new session-00110104, tun_id=0.0.0.0"
id=65308 trace_id=101 func=iprope_dnat_check line=5459 msg="in-[port2], out-[]"
id=65308 trace_id=101 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=101 func=iprope_dnat_check line=5480 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=101 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=80000000 gw-0.0.0.0 via root"
id=65308 trace_id=101 func=iprope_access_proxy_check line=458 msg="in-[port2], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=101 func=__iprope_check line=2391 msg="gnum-100017, check-000000001e1b6c26"
id=65308 trace_id=101 func=iprope_policy_group_check line=4886 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=101 func=__iprope_fwd_check line=801 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=101 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=2"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2128 msg="checked gnum-100004 policy-3, ret-matched, act-accept"
id=65308 trace_id=101 func=__iprope_user_identity_check line=1891 msg="ret-matched"
id=65308 trace_id=101 func=__iprope_check line=2391 msg="gnum-4e20, check-000000001e1b6c26"
id=65308 trace_id=101 func=get_new_addr line=1264 msg="find SNAT: IP-10.47.18.106(from IPPOOL), port-61093"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2361 msg="policy-3 is matched, act-accept"
id=65308 trace_id=101 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-3"
id=65308 trace_id=101 func=iprope_in_check line=495 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=101 func=__iprope_check line=2391 msg="gnum-100011, check-00000000f3ceedd8"
id=65308 trace_id=101 func=iprope_policy_group_check line=4886 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-000000
.............................................
id=65308 trace_id=101 func=__iprope_check_one_policy line=2361 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=101 func=__iprope_check line=2408 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=101 func=iprope_policy_group_check line=4886 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=101 func=__iprope_check line=2391 msg="gnum-10000f, check-000000001e1b6c26"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2128 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=101 func=__iprope_check_one_policy line=2361 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=101 func=__iprope_check line=2408 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000"
id=65308 trace_id=101 func=iprope_policy_group_check line=4886 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"
id=65308 trace_id=101 func=fw_local_in_handler line=616 msg="iprope_in_check() check failed on policy 0, drop"
Iprope check failure occurs for multiple factors. See this article.
|
