Troubleshooting Tip: FortiOS processing packets on non-active link

avinash_v · ‎10-17-2024

Description This article describes the processing of packets received on a non-active link in a redundant interface.

Scope FortiOS 7.2, 7.4, 7.6.

Solution

redundant kb.png

The above topology has two links between the FortiGate and a switch. On the FortiGate, the two links are part of redundant interface R1, and on the switch side, the ports are configured as access ports.

The switch learns the mac address of FortiGate only on the interface connected to port 2 on FortiGate, and not on the interface connected to port 3 on FortiGate, as the interfaces are part of a redundant link.

In this case, port 2 is active and port 3 is in standby or non-active link.

In a rare scenario, if the packet reaches FortiGate on port 3, it will get processed by FortiGate even if the switch does not learn the MAC address of FortiGate on this interface. This can happen if the MAC address table of the switch is full, or if there is a broadcast storm in that VLAN on the switch. This can cause disruption to some applications and traffic. Use the following debug commands for this kind of scenario when the FortiGate processes the packets on a non-active link.

    edit "R1"
        set vdom "root"
        set ip 10.100.100.1 255.255.255.0
        set allowaccess ping
        set type redundant
        set member "port2" "port3"
        set lldp-transmission enable
        set snmp-index 11
    next

diagnose netlink redundant name R1

status: up
npu: n
flush: n
asic helper: y
ports: 2
link-up-delay: 50ms
priority-override: enable
MAC addr: 00:09:0f:09:0a:01
current slave: port2

slave: port2
  index: 0
  link status: up
  link failure count: 0
  permanent MAC addr: 50:02:00:01:00:01

slave: port3
  index: 1
  link status: up
  link failure count: 0
  permanent MAC addr: 50:02:00:01:00:02

2024-06-13 11:36:33 id=65308 trace_id=1 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 10.100.100.1:0->10.100.100.10:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=0, seq=0." 2024-06-13 11:36:33 id=65308 trace_id=1 func=init_ip_session_common line=6080 msg="allocate a new session-00000034, tun_id=0.0.0.0" 2024-06-13 11:36:33 id=65308 trace_id=1 func=iprope_dnat_check line=5281 msg="in-[], out-[R1]" 2024-06-13 11:36:33 id=65308 trace_id=1 func=iprope_dnat_tree_check line=824 msg="len=0" 2024-06-13 11:36:33 id=65308 trace_id=1 func=iprope_dnat_check line=5293 msg="result: skb_flags-00000000, vid-0, ret-no-match, act-accept, flag-00000000" 2024-06-13 11:36:33 id=65308 trace_id=1 func=__iprope_check line=2281 msg="gnum-100004, check-00000000c34ebe72" 2024-06-13 11:36:33 id=65308 trace_id=1 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-drop" 2024-06-13 11:36:33 id=65308 trace_id=1 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-0, ret-no-match, act-drop" 2024-06-13 11:36:33 id=65308 trace_id=1 func=__iprope_check line=2298 msg="gnum-100004 check result: ret-no-match, act-drop, flag-00000000, flag2-00000000" 2024-06-13 11:36:33 id=65308 trace_id=1 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000" 2024-06-13 11:36:33 id=65308 trace_id=1 func=ip_session_confirm_final line=3113 msg="npu_state=0x0, hook=4" 2024-06-13 11:36:33 id=65308 trace_id=2 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 10.100.100.10:0->10.100.100.1:0) tun_id=0.0.0.0 from port3. type=0, code=0, id=0, seq=0." 2024-06-13 11:36:33 id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5982 msg="Find an existing session, id-00000034, reply direction" 2024-06-13 11:36:33 id=65308 trace_id=2 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=80000000 gw-0.0.0.0 via root" 2024-06-13 11:36:33 id=65308 trace_id=3 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 10.100.100.10:0->10.100.100.1:0) tun_id=0.0.0.0 from R1. type=0, code=0, id=0, seq=0." 2024-06-13 11:36:33 id=65308 trace_id=3 func=resolve_ip_tuple_fast line=5982 msg="Find an existing session, id-00000034, reply direction" 2024-06-13 11:36:33 id=65308 trace_id=3 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=80000000 gw-0.0.0.0 via root" 2024-06-13 11:36:34 id=65308 trace_id=4 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 10.100.100.1:0->10.100.100.10:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=0, seq=1." 2024-06-13 11:36:34 id=65308 trace_id=4 func=resolve_ip_tuple_fast line=5982 msg="Find an existing session, id-00000034, original direction" 2024-06-13 11:36:34 id=65308 trace_id=5 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 10.100.100.10:0->10.100.100.1:0) tun_id=0.0.0.0 from port3. type=0, code=0, id=0, seq=1." 2024-06-13 11:36:34 id=65308 trace_id=5 func=resolve_ip_tuple_fast line=5982 msg="Find an existing session, id-00000034, reply direction" execute ping 10.100.100.10 PING 10.100.100.10 (10.100.100.10): 56 data bytes 64 bytes from 10.100.100.10: icmp_seq=0 ttl=64 time=10.6 ms 64 bytes from 10.100.100.10: icmp_seq=0 ttl=64 time=14.4 ms (DUP!) 64 bytes from 10.100.100.10: icmp_seq=1 ttl=64 time=7.8 ms 64 bytes from 10.100.100.10: icmp_seq=1 ttl=64 time=10.3 ms (DUP!) 64 bytes from 10.100.100.10: icmp_seq=2 ttl=64 time=4.9 ms 64 bytes from 10.100.100.10: icmp_seq=2 ttl=64 time=6.3 ms (DUP!) 64 bytes from 10.100.100.10: icmp_seq=3 ttl=64 time=5.9 ms 64 bytes from 10.100.100.10: icmp_seq=3 ttl=64 time=9.0 ms (DUP!) 64 bytes from 10.100.100.10: icmp_seq=4 ttl=64 time=6.0 ms --- 10.100.100.10 ping statistics --- 5 packets transmitted, 5 packets received, 4 duplicates, 0% packet loss round-trip min/avg/max = 4.9/8.3/14.4 ms

Solution:

This issue is present in versions 7.2.x and 7.4.x. This behavior is to be changed in versions 7.2.11, 7.4.6 and 7.6.1.

Troubleshooting Tip: FortiOS processing packets on non-active link

You are leaving our website