Technical Tip: pre_route_auth check fail(id=0), drop (Hair-Pin NAT -VIP)

ckumar_FTNT · ‎07-01-2021

Description

This article describes the message 'pre_route_auth check fail(id=0), drop ' while accessing the VIP Hair-Pin NAT.

Scope

FortiGate.

Solution

Topology.

Normally, internal users will use the private IP to connect with the internal server.

However, if the users try to connect to the server with the Public IP.

Sometimes we encounter the error 'pre_route_auth check fail(id=0), drop'.

Debug output.

FortiGate-Chetu # 2021-06-30 22:48:48 id=20085 trace_id=271 func=print_pkt_detail line=5622 msg="vd-root:0 received a packet(proto=6, 10.10.9.89:62069->10.5.22.236:1234) from port2. flag [S], seq 3045938977, ack 0, win 64240"
2021-06-30 22:48:48 id=20085 trace_id=271 func=init_ip_session_common line=5792 msg="allocate a new session-0042d392"
2021-06-30 22:48:48 id=20085 trace_id=271 func=_pre_route_auth line=105 msg="pre_route_auth check fail(id=0), drop"

If the server's mapped IP is configured as an interface IP.
The server is in the same segment LAN.

Solution.

Create a policy from PORT2 (Internal-interface) to PORT1 (External-interface) which will activate the Hair-Pin NAT.

Note: When the client and server are on the same network segment, the options 'match-vip' and 'nat-source-vip' will not take effect.

In the other case, the traffic is also observed dropping with the same error: 'pre_route_auth check fail(id=0), drop', using normal configuration of Hairpin NAT as described in Technical Tip: Configuring Hairpin NAT (VIP).

PC -> LAN -> WAN -> DMZ -> VIP server.

This happens if the policy from LAN to WAN is not configured properly: either the interface WAN is not selected as the outgoing interface, or the VIP is selected as the destination. Make sure the VIP is not selected as the destination from the LAN to WAN policy, and that it is selected only in the WAN to DMZ policy.

Technical Tip: pre_route_auth check fail(id=0), drop (Hair-Pin NAT -VIP)

You are leaving our website