doublejz
New Contributor

Policy Routing Questions

So I currently have a 61E at the main location and a 40F at a branch location. IPsec VPN between the two. We recently tried to implement some policy based routing at the branch which appears to be routing the traffic back to the main location as expected. However, from sniffer results it is showing that the RFC1918 address is trying to go to the internet instead of being NAT'd (probably because its not matching the policy which has NAT enabled).

 

id=20085 trace_id=120 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.2.200:27413->184.30.82.29:2048) from VPN-40F_0. type=8, code=0, id=27413, seq=8."

id=20085 trace_id=120 func=init_ip_session_common line=5913 msg="allocate a new session-0039162a" id=20085 trace_id=120 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-<pub-IP-REMOVED> via wan1" id=20085 trace_id=120 func=fw_forward_handler line=643 msg="Denied by forward policy check (policy 0)"

id=20085 trace_id=121 func=print_pkt_detail line=5742 msg="vd-root:0 received a packet(proto=1, 192.168.2.200:27413->184.30.82.29:2048) from VPN-40F_0. type=8, code=0, id=27413, seq=9." id=20085 trace_id=121 func=init_ip_session_common line=5913 msg="allocate a new session-00391630" id=20085 trace_id=121 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-<pub-IP-REMOVED> via wan1" id=20085 trace_id=121 func=fw_forward_handler line=643 msg="Denied by forward policy check (policy 0)"

 

I currently have a policy in place to allow anything from the branch subnet over the VPN tunnel to go to the Outside (zone that wan1 is in) but it doesn't appear to be matching.

 

(93) # show config firewall policy edit 93 set name "Out-From-Branch" set uuid d8b47eb0-d07b-51eb-e747-d0975e648e7f set srcintf "VPN-40F" set dstintf "Outside" set srcaddr "branch-range" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable next end

(93) #

 

I also debugged ike and didn't see any messages about no matching selector.

 

I'm not really sure where to look at this point so any advice would be greatly appreciated.

1 REPLY 1
doublejz
New Contributor

*sigh* It appears that the branch-range address I had used in the policy, didn't include the full subnet. Once corrected, traffic is flowing as expected.