Troubleshooting Tip: Debug flow show - "failed to match vid-1" on VIP configuration.

hazim · ‎10-15-2024

Description

This article describes how to troubleshoot Debug showing 'failed to match vid-1' on VIP configuration and match implicit deny.

Scope

FortiGate.

Solution

When seeing the output debug below when troubleshooting VIP:

Debug output:

FGT1 # 2024-10-08 13:10:37 id=65308 trace_id=1 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=6, 10.10.10.10:56414->20.20.20.20:22) tun_id=0.0.0.0 from port1. flag [S], seq 2020481783, ack 0, win 64240"
2024-10-08 13:10:37 id=65308 trace_id=1 func=init_ip_session_common line=6063 msg="allocate a new session-08bacf6c"
2024-10-08 13:10:37 id=65308 trace_id=1 func=iprope_dnat_check line=5474 msg="in-[port1], out-[]"
2024-10-08 13:10:37 id=65308 trace_id=1 func=iprope_dnat_tree_check line=834 msg="len=2"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_dnat_policy line=5337 msg="checking gnum-100000 policy-1"
2024-10-08 13:10:37 id=65308 trace_id=1 func=get_new_addr line=1265 msg="find DNAT: IP-30.30.30.30, port-0(fixed port)"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_dnat_policy line=5429 msg="matched policy-1, act=accept, vip=1, flag=104, sflag=2000000"
2024-10-08 13:10:37 id=65308 trace_id=1 func=iprope_dnat_check line=5499 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000104"
2024-10-08 13:10:37 id=65308 trace_id=1 func=fw_pre_route_handler line=187 msg="VIP-30.30.30.30:22, outdev-unknown"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__ip_session_run_tuple line=3442 msg="DNAT 20.20.20.20::22->30.30.30.30:22"
2024-10-08 13:10:37 id=65308 trace_id=1 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-30.30.30.30 via port2"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_fwd_check line=807 msg="in-[port1], out-[port2], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=19, len=10"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-93, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-94, ret-matched, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2156 msg="failed to match vid-1"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-95, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-96, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-97, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-98, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-99, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-92, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_user_identity_check line=1894 msg="ret-matched"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2365 msg="policy-0 is matched, act-drop"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_fwd_check line=844 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-10-08 13:10:37 id=65308 trace_id=1 func=iprope_fwd_auth_check line=873 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-10-08 13:10:37 id=65308 trace_id=1 func=iprope_shaping_check line=971 msg="in-[port1], out-[port2], skb_flags-020000c0, vid-1"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check line=2395 msg="gnum-100015, check-ffffffffa002dcc0"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100015 policy-3, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100015 policy-1, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check_one_policy line=2131 msg="checked gnum-100015 policy-2, ret-no-match, act-accept"
2024-10-08 13:10:37 id=65308 trace_id=1 func=__iprope_check line=2412 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-10-08 13:10:37 id=65308 trace_id=1 func=iprope_policy_group_check line=4892 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2024-10-08 13:10:37 id=65308 trace_id=1 func=fw_forward_handler line=829 msg="Denied by forward policy check (policy 0)"

The VIP configuration of one-to-one mapping will override port forwarding on VIP.

One-to-one Mapping:

Port Forwarding:

Policy:

The one-to-one VIP mapping will override port forwarding, and the debug flow will show 'failed to match vid-1'.

Remember that if using one-to-one, control the traffic mapping from the policy if to allow port 22 from the example given and configure as the method below:

Troubleshooting Tip: Debug flow show - "failed to match vid-1" on VIP configuration.

You are leaving our website