Troubleshooting Tip: GTP Error logs 'deny_cause="msg-filter' msgtypename="g-pdu'

subramanis · ‎12-24-2024

Description

This article describes the solution for the error 'deny_cause="msg-filter' msgtypename="g-pdu' when GTP-U traffic is not working.

Scope

FortiGate.

Solution

This error appears while troubleshooting GTPU-U traffic is not passing the firewall:

Screenshot 2024-12-24 0918521.png

To examine the logs, ensure that both GTP-U and GTP-C logs are enabled in the GTP_Test_Profile. This will help identify if any packets are being dropped. The logs will show the 'deny_cause="msg-filter"', but the primary indicator is msgtypename="g-pdu", which signifies that the GTP-U traffic is being denied.

GTP Profile:

config firewall gtp
edit "GTP_Test_Profile"
set max-message-length 4294967295
set monitor-mode disable
set forwarded-log enable
set denied-log enable
set rate-limited-log enable
set state-invalid-log enable
set tunnel-limit-log enable
set extension-log enable
set traffic-count-log enable
set gtpu-forwarded-log enable
set gtpu-denied-log enable <-----
set message-filter-v0v1 "v1_test"
set message-filter-v2 "v2_test"
next

The GTP-U traffic is denied in message-filter-v0v1. Note that GTP-U messages always conform to GTP version 1

message-filter-v0v1:

config gtp message-filter-v0v
edit "v1_test"
set redirection deny
set create-pdp deny
set update-pdp deny
set delete-pdp deny
set v0-create-aa-pdp--v1-init-pdp-ctx deny
set delete-aa-pdp deny
set error-indication deny
set pdu-notification deny
set support-extension deny
set gtp-pdu deny <-----
next
end

To resolve the issue, the set gtp-pdu enable option must be enabled in message-filter-v0v1.

Troubleshooting Tip: GTP Error logs 'deny_cause="msg-filter' msgtypename="g-pdu'

You are leaving our website