|
In this scenario, a client is attempting to access RDP over the Internet using IPv6. Traffic originating from '2001:db8:beef:cafe:a54d:bce1:1cb2:82e3:63386' is getting dropped due to 'reverse path check fail(bad src),drop'.
id=20085 trace_id=12 func=resolve_ip6_tuple_fast line=4787 msg="vd-root:0 received a packet(proto=6, 2001:db8:beef:cafe:a54d:bce1:1cb2:82e3:63386->2001:db8:dc1:abcd::3:3389) from port1."
id=20085 trace_id=12 func=resolve_ip6_tuple_fast line=4827 msg="Find an existing session, id-00000072, original direction"
id=20085 trace_id=12 func=fw6_forward_dirty_handler line=371 msg="state=00000200, state2=00000000, npu_state=00000100"
id=20085 trace_id=12 func=ip6_nat_af_input line=298 msg="nat64 ipv6 received a packet proto=6"
id=20085 trace_id=12 func=init_ip_session_common line=6003 msg="allocate a new session-00000b24, tun_id=0.0.0.0"
id=20085 trace_id=12 func=ip_route_input_slow line=2447 msg="reverse path check fail(bad src),drop"
id=20085 trace_id=12 func=ip_session_handle_no_dst line=6089 msg="trace"
The following Virtual IP, Firewall policy, and Central SNAT have been configured:
config firewall vip6
edit "RDPv6"
set extip 2001:db8:dc1:abcd::3
set portforward enable
set nat66 disable
set nat64 enable
set ipv4-mappedip 192.168.1.1
set ipv4-mappedport 3389
set extport 3389
next
end
config firewall policy
edit 2
set name "Inbound-RDP"
set srcintf "port1" <-- WAN interface.
set dstintf "port3" <-- LAN interface.
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "2001:db8:dc1:abcd::3/128" <-- Recommended to use the actual mapped address.
set schedule "always"
set service "RDP"
next
end
config firewall central-snat-map
edit 1
set type ipv6
set srcintf "port1"
set dstintf "port3"
set orig-addr6 "RDP-Origin"
set dst-addr6 "all"
set nat64 enable
set nat-ippool "192.168.1.100/32"
next
end
The issue stems from the misconfiguration in the central SNAT policy set orig-addr6 "RDP-Origin", where the source of the 'RDP-Origin' address objects does not match the source of the originating traffic.
Source of originating traffic: 2001:db8:beef:cafe:a54d:bce1:1cb2:82e3:63386
The misconfiguration highlighted in the address object:
config firewall address6
edit "RDP-Origin"
set uuid d4b4850c-81d0-51f0-cafc-c015be298bde
set ip6 2006:db8:dc1:abcd::2/128
next
end
Solution:
Ensure the central snat configuration matches the source and destination of the traffic; otherwise, the following message 'Reverse Path Check Failures (bad src), drop' may be seen in the debug flow.
config firewall address6
edit "RDP-Origin"
set uuid d4b4850c-81d0-51f0-cafc-c015be298bde
set ip6 2001:db8:beef:cafe::/64
next
end
id=20085 trace_id=17 func=resolve_ip6_tuple_fast line=4787 msg="vd-root:0 received a packet(proto=6, 2001:db8:beef:cafe:31fc:98a2:8ef6:4761:58946->2001:db8:dc1:abcd::3:3389) from port1."
id=20085 trace_id=17 func=resolve_ip6_tuple line=4926 msg="allocate a new session-00000093"
id=20085 trace_id=17 func=get_vip64_addr line=1174 msg="find DNAT64: IP-192.168.1.1, port-3389"
id=20085 trace_id=17 func=vf_ip6_route_input line=1201 msg="find a route: gw-2001:db8:dc1:abcd::3 via naf.root err 0 flags 01000001"
id=20085 trace_id=17 func=fw6_forward_handler line=435 msg="Check policy between port1 -> naf.root"
id=20085 trace_id=17 func=get_new_addr64 line=1110 msg="find SNAT64: IP-192.168.1.100(from IPPOOL), port-22464"
id=20085 trace_id=17 func=fw6_forward_handler line=567 msg="Allowed by Policy-2: SNAT"
id=20085 trace_id=17 func=ip6_nat_af_input line=298 msg="nat64 ipv6 received a packet proto=6"
id=20085 trace_id=17 func=init_ip_session_common line=6003 msg="allocate a new session-00004516, tun_id=0.0.0.0"
id=20085 trace_id=17 func=vf_ip_route_input_common line=2604 msg="find a route: flag=04000000 gw-192.168.1.1 via port3"
id=20085 trace_id=17 func=fw_forward_handler line=874 msg="Allowed by Policy-2:"
Related article:
Technical Tip: How to configure NAT64 to allow IPv6 traffic to reach IPv4-only traffic domain when c...
|
