Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckumar_FTNT
Staff
Staff

Created on ‎07-01-2021 12:50 AM Edited on ‎06-29-2025 01:39 PM By Moderator

Article Id 191479

Technical Tip: pre_route_auth check fail(id=0), drop (Hair-Pin NAT -VIP)

Description

 

This article describes the message 'pre_route_auth check fail(id=0), drop ' while accessing the VIP Hair-Pin NAT.

 

Scope

 

FortiGate.

Solution

 

Topology.
 
 
Normally, internal users will use the private IP to connect with the internal site.
However, if the users try to connect to the server with the Public IP.
Sometimes we encounter the error 'pre_route_auth check fail(id=0), drop'.

Debug output.
 
FortiGate-Chetu # 2021-06-30 22:48:48 id=20085 trace_id=271 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 10.10.9.89:62069->10.5.22.236:1234) from port2. flag [S], seq 3045938977, ack 0, win 64240"
2021-06-30 22:48:48 id=20085 trace_id=271 func=init_ip_session_common line=5792 msg="allocate a new session-0042d392"
2021-06-30 22:48:48 id=20085 trace_id=271 func=_pre_route_auth line=105 msg="pre_route_auth check fail(id=0), drop"Caveats.
 
  • If the server's mapped IP is configured as an interface IP.
  • The server is in the same segment LAN.
 
Solution.

Create a policy from PORT2 (Internal-interface) to PORT1 (External-interface) which will activate the Hair-Pin NAT.

 
 
 
Tip: When the interface is mapped, the local interface is created, so 'match-vip' and 'nat-source-vip' will not take effect when the 'user & server' is in the same segment.

 

In another case, the traffic is also seen dropping with the same error 'pre_route_auth check fail(id=0), drop', with normal configuration of Hairpin NAT as shown in the article Technical Tip: Configuring Hairpin NAT (VIP).

 

PC-->LAN-->WAN-->DMZ-->VIP server.

 

This happens if the policy from LAN to WAN is not configured properly, either the interface WAN is not selected as the outgoing interface, or the VIP is selected as the destination. Make sure the VIP is not selected as the destination from the LAN to WAN policy, it is selected only in the WAN to DMZ policy.

Labels:
10136
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.