Description
This article describes the message 'pre_route_auth check fail(id=0), drop ' while accessing the VIP Hair-Pin NAT.
Solution
This article describes the message 'pre_route_auth check fail(id=0), drop ' while accessing the VIP Hair-Pin NAT.
Solution
Topology.
Normally, internal users will use the private IP to connect with the internal site.
However, if the users try to connect the server with the Public IP.
Sometimes we encounter the error 'pre_route_auth check fail(id=0), drop'.
Debug output.
- If the server mapped IP is configured as a interface IP.
- Server is in same segment LAN.
Debug output.
FortiGate-Chetu # 2021-06-30 22:48:48 id=20085 trace_id=271 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 10.10.9.89:62069->10.5.22.236:1234) from port2. flag [S], seq 3045938977, ack 0, win 64240"Caveats.
2021-06-30 22:48:48 id=20085 trace_id=271 func=init_ip_session_common line=5792 msg="allocate a new session-0042d392"
2021-06-30 22:48:48 id=20085 trace_id=271 func=_pre_route_auth line=105 msg="pre_route_auth check fail(id=0), drop"
- If the server mapped IP is configured as a interface IP.
- Server is in same segment LAN.
Solution.
- Create a policy from PORT2 (Internal-interface) to PORT1 (External-interface) which will activate the Hair-Pin NAT.
- Create a policy from PORT2 (Internal-interface) to PORT1 (External-interface) which will activate the Hair-Pin NAT.
Tip: When the interface is mapped, the local interface is created so, 'match-vip' and 'nat-source-vip' will not take effect when the 'user & server' is in the same segment.
