Troubleshooting Tip: Why the Firewall VIP responds to traceroute

Benoit_Rech_FTNT · ‎10-04-2012

Description

This article describes why the FortiGate answers to traceroute on the VIP addresses despite how traceroute traffic is not allowed by the firewall policies.

Scope

Firewall VIP, and traceroute.

Solution

Diagram:

Expectations, Requirements:

Some security tools report that VIP addresses 'answer' to traceroute requests, while ICMP_ANY or UDP traffics are not allowed by the firewall policies.

The traceroute tool relies on the TTL field in the IP header, which is contained in UDP packets. This TTL counter is decremented each time the packet is going through a router. While this counter is 1 or less, then the router must send an ICMP type=11, code=0 (Time Exceeded). The traceroute uses this ICMP message to figure out which host it encountered.

According to the RFC1812:

'If the TTL is reduced to zero (or less), the packet MUST be discarded, and if the destination is not a multicast address the router MUST send an ICMP Time Exceeded message, Code 0 (TTL Exceeded in Transit) message to the source.'

From the FortiGate point of view, the firewall VIP is seen as a logical IP address, and triggers a 'routing' from the 'external' address to the 'mapped' address, and then the TTL algorithm from RFC1812 is used.

There is no way to disable the sending of ICMP TTL Exceeded in Transit message, as this behavior is compliant with the RFC1812.

Configuration:

The extract of the configuration shows that there is a VIP defined between a real server (10.121.2.12 on VLAN121), and a virtual public IP address 172.31.224.125 on port2. Only HTTP traffic is allowed by the firewall policy port2 (any host) to the real server (VLAN121) through the VIP.

show firewall vip
config firewall vip
    edit "VIP_SERVER"
        set extip 172.31.224.125
        set extintf "port2"
        set mappedip 10.121.2.12
    next
end
config firewall policy
    edit 1
        set srcintf "port2"
        set dstintf "VLAN121"
        set srcaddr "all"
        set dstaddr "VIP_SERVER"
        set action accept
        set schedule "always"
        set service "HTTP"
    next
end

Verification:

From a host connected on port2, execute 'traceroute 172.31.224.125'.

The following outputs are captured on the FortiGate:

The FortiGate receives a packets from the traceroute tool, to the VIP, with a TTL of 1.

Internet Protocol Version 4, Src: 192.168.171.245 (192.168.171.245), Dst: 172.31.224.125 (172.31.224.125) Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 60
Identification: 0x1676 (5750)
Flags: 0x00
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xaa00 [correct]
Source: 192.168.171.245 (192.168.171.245)
Destination: 172.31.224.125 (172.31.224.125)
User Datagram Protocol, Src Port: 37540 (37540), Dst Port: 33445 (33445)
Data (32 bytes)
0000 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO
0010 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f PQRSTUVWXYZ[\]^_

The FortiGate answers with an ICMP type=11, code=0 (Time To Live Exceeded in Transit)

Internet Protocol Version 4, Src: 172.31.224.125 (172.31.224.125), Dst: 192.168.171.245 (192.168.171.245)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 88
Identification: 0xb38a (45962)
Flags: 0x00
Fragment offset: 0
Time to live: 255
Protocol: ICMP (1)
Header checksum: 0x0e1f [correct]
Source: 172.31.224.125 (172.31.224.125)
Destination: 192.168.171.245 (192.168.171.245)
Internet Control Message Protocol
Type: 11 (Time-to-live exceeded)
Code: 0 (Time to live exceeded in transit)
Checksum: 0xee74 [correct]
Internet Protocol Version 4, Src: 192.168.171.245 (192.168.171.245), Dst: 172.31.224.125 (172.31.224.125)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 60
Identification: 0x1676 (5750)
Flags: 0x00
Fragment offset: 0
Time to live: 1
Protocol: UDP (17)
Header checksum: 0xaa00 [correct]
Source: 192.168.171.245 (192.168.171.245)
Destination: 172.31.224.125 (172.31.224.125)
User Datagram Protocol, Src Port: 37540 (37540), Dst Port: 33445 (33445)
Data (32 bytes)
0000 40 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f @ABCDEFGHIJKLMNO
0010 50 51 52 53 54 55 56 57 58 59 5a 5b 5c 5d 5e 5f PQRSTUVWXYZ[\]^_

Troubleshooting:

It may be observed that the traffic does not go through the FortiGate. There is no egress traffic on the VLAN121.

diagnose sniffer packet any 'host 172.31.224.125 or host 10.121.2.12' 4 0 a
interfaces=[any] filters=[host 172.31.224.125 or host 10.121.2.12]
2012-10-04 09:00:49.813967 port2 in arp who-has 172.31.224.125 tell 172.31.227.254

2012-10-04 09:00:49.813991 port2 out arp reply 172.31.224.125 is-at 0:9:f:85:b7:82

2012-10-04 09:00:49.814482 port2 in 192.168.171.245.52763 -> 172.31.224.125.33450: udp 32

2012-10-04 09:00:49.814549 port2 in 192.168.171.245.47048 -> 172.31.224.125.33451: udp 32

2012-10-04 09:00:49.814585 port2 in 192.168.171.245.53413 -> 172.31.224.125.33452: udp 32

diag debug flow show function enable
diag debug flow filter proto 17
diag debug flow show trace start 100
d=36871 trace_id=141 msg="allocate a new session-00002467" id=36871 trace_id=141 msg="find SNAT: IP-10.121.2.12(from IPPOOL), port-33446" id=36871 trace_id=141 msg="VIP-10.121.2.12:33446, outdev-port2" id=36871 trace_id=141 msg="DNAT 172.31.224.125:33446->10.121.2.12:33446" id=36871 trace_id=141 msg="find a route: gw-10.121.2.12 via VLAN121" id=36871 trace_id=141 msg="Denied by forward policy check"

Troubleshooting Tip: Why the Firewall VIP responds to traceroute

You are leaving our website