Access Denied - The page you requested has been blocked by a firewall policy restriction.

itcba · ‎06-04-2024

Hi,

i'm using VIP to redirect traffic based on hostnames to my NAS

I'm using Origin Server Certificates obtained from cloudflare that also manages my DNS.

Anyway, i'm seeing this error while trying to visit the login page:

The certificate is considered valid. Anyway in the logs i see a lot of accepted but timed out connections.

Any tips?

ozkanaltas · ‎06-04-2024

Hello @itcba ,

Can you try to access without a security profile and ssl-inspection (select no-inspection)?

And also did you see any logs on Security Events?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

Yes i tried without any security profiles but the error is still there.

The only logs i see are some timeouts.

I suspect that there is something wrong with certificates accepted by the fortigate?

ede_pfau · ‎06-05-2024

and the VIPs? any filters on them? port forwarding?

could you please post one VIP config here (as text)?

Ede Kernel panic: Aiee, killing interrupt handler!

itcba · ‎06-05-2024

How do you apply filters on them?

Here's my VIP:

edit "archivio-virtual-server-https"
set uuid a6e1139e-1ce0-51ef-bf62-553f37b7c7b7
set type server-load-balance
set extip*myesternalIP*
set extintf "any"
set server-type https
set http-ip-header enable
set ldb-method http-host
set extport 443
config realservers
edit 1
set ip 10.0.0.2
set port 443
set http-host "archivio.cba-design.it"
next
end
set http-supported-max-version http1
set ssl-mode full
set ssl-certificate "acme-cba"
next
edit "archivio-virtual-server-dsm"
set uuid 07703dde-1e99-51ef-63e0-132963612952
set type server-load-balance
set extip*myesternalIP*
set extintf "any"
set server-type https
set http-ip-header enable
set ldb-method http-host
set extport 5003
config realservers
edit 1
set ip 10.0.0.2
set port 5003
set http-host "archivio.cba-design.it"
next
end
set ssl-mode full
set ssl-certificate "acme-cba"
next
edit "express-virtual-server-dsm"
set uuid ed8a1a3a-1ea6-51ef-d3f0-e1ed45110cd9
set type server-load-balance
set extip*myesternalIP*
set extintf "any"
set server-type https
set http-ip-header enable
set ldb-method http-host
set extport 5003
config realservers
edit 1
set ip 10.30.0.1
set port 5003
set http-host "express.cba-design.it"
next
end
set ssl-mode full
set ssl-certificate "acme-express"
next
edit "express-virtual-server-https"
set uuid 08ad2014-1ea7-51ef-bf02-77ba22d0d0dc
set type server-load-balance
set extip*myesternalIP*
set extintf "any"
set server-type https
set http-ip-header enable
set ldb-method http-host
set extport 443
config realservers
edit 1
set ip 10.30.0.1
set port 443
set http-host "express.cba-design.it"
next
end
set http-supported-max-version http1
set ssl-mode full
set ssl-certificate "acme-express"
next
edit "archivio-virtual-server-http"
set uuid e65e7f26-1f4b-51ef-2fd6-d3a721f8772b
set type server-load-balance
set extip *myesternalIP*
set extintf "any"
set server-type http
set http-ip-header enable
set ldb-method http-host
set extport 80
config realservers
edit 1
set ip 10.0.0.2
set port 80
set http-host "archivio.cba-design.it"
next
end
next
edit "express-virtual-server-http"
set uuid 0777a9d0-1f4c-51ef-f100-50b9bb2cd7ca
set type server-load-balance
set extip *myesternalIP*
set extintf "any"
set server-type http
set http-ip-header enable
set ldb-method http-host
set extport 80
config realservers
edit 1
set ip 10.30.0.1
set port 80
set http-host "express.cba-design.it"
next
end

ozkanaltas · ‎06-05-2024

Hello @itcba ,

That's interesting actually. It may be related to SSL, but if it were, a log should be created under the log events -> SSL category.

Can you try accessing it while running the following debug commands? Maybe it can tell us more in the debug.

diagnose debug disable
diagnose debug flow trace stop
diagnose debug flow filter clear
diagnose debug reset
diagnose debug flow filter daddr <YOUR_SERVICE_IP>
diagnose debug flow trace start 100
diagnose debug enable

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

n_id=0.0.0.0 from local. flag [.], seq 4030552386, ack 462940075, win 1873"
id=65308 trace_id=6 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=7 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->93.145.64.10:35760) tun_id=0.0.0.0 from wan1. flag [.], seq 1582617498, ack 3589958364, win 197"
id=65308 trace_id=7 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=7 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:35760->10.30.0.1:35760"
id=65308 trace_id=7 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=7 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=7 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=8 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552386, ack 462940075, win 1873"
id=65308 trace_id=8 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=9 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552410, ack 462940103, win 1873"
id=65308 trace_id=9 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=10 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->93.145.64.10:35760) tun_id=0.0.0.0 from wan1. flag [.], seq 1582617522, ack 3589958392, win 197"
id=65308 trace_id=10 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=10 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:35760->10.30.0.1:35760"
id=65308 trace_id=10 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=10 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=10 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=11 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.222:443->93.145.64.10:34426) tun_id=0.0.0.0 from wan1. flag [.], seq 1820219978, ack 3281277087, win 43"
id=65308 trace_id=11 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b7004, reply direction"
id=65308 trace_id=11 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:34426->10.30.0.1:34426"
id=65308 trace_id=11 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=11 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=11 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=12 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.222:443->10.30.0.1:34426) tun_id=0.0.0.0 from local. flag [.], seq 4137262871, ack 1124214217, win 130"
id=65308 trace_id=12 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b7004, reply direction"
id=65308 trace_id=13 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=17, 216.239.35.0:123->93.145.64.10:54795) tun_id=0.0.0.0 from wan1. "
id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b39c3, reply direction"
id=65308 trace_id=13 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:54795->10.30.0.1:54795"
id=65308 trace_id=13 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.30.0.1 via lan-30-dmz"
id=65308 trace_id=13 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00012284 ses.npu_state=0x00003094"
id=65308 trace_id=13 func=fw_forward_dirty_handler line=437 msg="state=00012284, state2=00004001, npu_state=00003094"
id=65308 trace_id=13 func=np6xlite_hif_nturbo_build_vtag line=1224 msg="vtag->magic d153beef, vtag->coretag 85, vtag->vid 0
vtag->sip[0] 0, vtag->sip[1] 0, vtag->sip[2] 0, vtag->sip[3] 0
vtag->sport 0, vtag->mtu 1500, vtag->flags 1, vtag->np6_flag 0x0, skb->npu_flag=0xc1080"
id=65308 trace_id=14 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 10.0.0.81:57087->10.30.0.1:5003) tun_id=0.0.0.0 from internal. flag [R.], seq 2732297209, ack 901734901, win 2047"
id=65308 trace_id=14 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039acd66, original direction"
id=65308 trace_id=14 func=ipv4_fast_cb line=53 msg="enter fast path"
id=65308 trace_id=15 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552410, ack 462940131, win 1873"
id=65308 trace_id=15 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=16 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->93.145.64.10:35760) tun_id=0.0.0.0 from wan1. flag [.], seq 1582617522, ack 3589958420, win 197"
id=65308 trace_id=16 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=16 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:35760->10.30.0.1:35760"
id=65308 trace_id=16 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=16 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=16 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=17 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->93.145.64.10:35760) tun_id=0.0.0.0 from wan1. flag [.], seq 1582617522, ack 3589958420, win 197"
id=65308 trace_id=17 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=17 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:35760->10.30.0.1:35760"
id=65308 trace_id=17 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=17 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=17 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=18 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552410, ack 462940131, win 1873"
id=65308 trace_id=18 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=19 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552434, ack 462940131, win 1873"
id=65308 trace_id=19 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=20 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->93.145.64.10:35760) tun_id=0.0.0.0 from wan1. flag [.], seq 1582617546, ack 3589958448, win 197"
id=65308 trace_id=20 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=20 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:35760->10.30.0.1:35760"
id=65308 trace_id=20 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=20 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=20 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=21 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->93.145.64.10:35760) tun_id=0.0.0.0 from wan1. flag [.], seq 1582617546, ack 3589958448, win 197"
id=65308 trace_id=21 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=21 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:35760->10.30.0.1:35760"
id=65308 trace_id=21 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00110306 ses.npu_state=0x00001008"
id=65308 trace_id=21 func=fw_forward_dirty_handler line=437 msg="state=00110306, state2=00004001, npu_state=00001008"
id=65308 trace_id=21 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=22 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552434, ack 462940159, win 1873"
id=65308 trace_id=22 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"
id=65308 trace_id=23 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=17, 8.8.8.8:53->93.145.64.10:49625) tun_id=0.0.0.0 from wan1. "
id=65308 trace_id=23 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4148, reply direction"
id=65308 trace_id=23 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:49625->10.30.0.1:49625"
id=65308 trace_id=23 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.30.0.1 via lan-30-dmz"
id=65308 trace_id=23 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00012284 ses.npu_state=0x00001008"
id=65308 trace_id=23 func=fw_forward_dirty_handler line=437 msg="state=00012284, state2=00004001, npu_state=00001008"
id=65308 trace_id=23 func=ids_receive line=429 msg="send to ips"
id=65308 trace_id=23 func=__ip_session_run_tuple line=3460 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=24 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=17, 8.8.8.8:53->93.145.64.10:49625) tun_id=0.0.0.0 from wan1. "
id=65308 trace_id=24 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4148, reply direction"
id=65308 trace_id=24 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:49625->10.30.0.1:49625"
id=65308 trace_id=24 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00012284 ses.npu_state=0x00001008"
id=65308 trace_id=24 func=fw_forward_dirty_handler line=437 msg="state=00032284, state2=00004001, npu_state=00101008"
id=65308 trace_id=24 func=ids_receive line=429 msg="send to ips"
id=65308 trace_id=24 func=__ip_session_run_tuple line=3460 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=25 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [S.], seq 1373561224, ack 198692497, win 14480"
id=65308 trace_id=25 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=25 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=26 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [S.], seq 3490923548, ack 3244628221, win 43440"
id=65308 trace_id=26 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=26 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=26 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-10.30.0.1 via lan-30-dmz"
id=65308 trace_id=26 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=26 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00000001, npu_state=00001008"
id=65308 trace_id=26 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=27 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373561225, ack 198693014, win 122"
id=65308 trace_id=27 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=27 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=28 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490923549, ack 3244628738, win 42"
id=65308 trace_id=28 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=28 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=28 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112386 ses.npu_state=0x00001008"
id=65308 trace_id=28 func=fw_forward_dirty_handler line=437 msg="state=00112386, state2=00004001, npu_state=00001008"
id=65308 trace_id=28 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=29 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490923549, ack 3244628738, win 42"
id=65308 trace_id=29 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=29 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=29 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112386 ses.npu_state=0x00001008"
id=65308 trace_id=29 func=fw_forward_dirty_handler line=437 msg="state=00112386, state2=00004001, npu_state=00001008"
id=65308 trace_id=29 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=30 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490924997, ack 3244628738, win 42"
id=65308 trace_id=30 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=30 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=30 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112386 ses.npu_state=0x00001008"
id=65308 trace_id=31 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373561225, ack 198693014, win 122"
id=65308 trace_id=30 func=fw_forward_dirty_handler line=437 msg="state=00112386, state2=00004001, npu_state=00001008"
id=65308 trace_id=30 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=31 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=31 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=32 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373562673, ack 198693014, win 122"
id=65308 trace_id=32 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=32 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=33 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490926445, ack 3244628738, win 42"
id=65308 trace_id=33 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=33 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=33 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112386 ses.npu_state=0x00001008"
id=65308 trace_id=33 func=fw_forward_dirty_handler line=437 msg="state=00112386, state2=00004001, npu_state=00001008"
id=65308 trace_id=33 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=34 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373564121, ack 198693014, win 122"
id=65308 trace_id=34 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=34 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=35 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490927893, ack 3244628738, win 42"
id=65308 trace_id=35 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=35 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=35 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112386 ses.npu_state=0x00001008"
id=65308 trace_id=35 func=fw_forward_dirty_handler line=437 msg="state=00112386, state2=00004001, npu_state=00001008"
id=65308 trace_id=35 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=36 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373565569, ack 198693014, win 122"
id=65308 trace_id=36 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=36 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=37 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490929341, ack 3244628738, win 42"
id=65308 trace_id=37 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=37 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=37 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112386 ses.npu_state=0x00001008"
id=65308 trace_id=37 func=fw_forward_dirty_handler line=437 msg="state=00112386, state2=00004001, npu_state=00001008"
id=65308 trace_id=37 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=38 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567017, ack 198693014, win 122"
id=65308 trace_id=38 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=38 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=39 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567606, ack 198694526, win 145"
id=65308 trace_id=39 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=39 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=40 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490929930, ack 3244628802, win 42"
id=65308 trace_id=40 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=40 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=40 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=40 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=40 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=41 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490929930, ack 3244628802, win 42"
id=65308 trace_id=41 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=41 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=41 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=41 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=41 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=42 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490929991, ack 3244630980, win 41"
id=65308 trace_id=42 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=42 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=42 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=42 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=42 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=43 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567606, ack 198695256, win 167"
id=65308 trace_id=43 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=43 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=44 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490929991, ack 3244630980, win 41"
id=65308 trace_id=44 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=44 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=44 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=44 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=44 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=45 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567667, ack 198695256, win 167"
id=65308 trace_id=45 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=45 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=46 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930026, ack 3244630980, win 41"
id=65308 trace_id=46 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=46 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=46 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=46 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=46 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=47 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567702, ack 198695256, win 167"
id=65308 trace_id=47 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=47 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=48 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930057, ack 3244630980, win 42"
id=65308 trace_id=48 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=48 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=48 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=48 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=48 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=49 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567733, ack 198695287, win 167"
id=65308 trace_id=49 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=49 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=50 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930245, ack 3244630980, win 42"
id=65308 trace_id=50 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=50 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=50 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000400 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=50 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=50 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=51 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [.], seq 1373567921, ack 198695287, win 167"
id=65308 trace_id=51 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=51 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=52 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->10.30.0.1:46278) tun_id=0.0.0.0 from local. flag [F.], seq 1373567995, ack 198695312, win 167"
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=52 func=ip_session_output line=661 msg="send to ips"
id=65308 trace_id=53 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930319, ack 3244631011, win 42"
id=65308 trace_id=53 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=53 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=53 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=53 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=53 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=54 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930319, ack 3244631035, win 42"
id=65308 trace_id=54 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=54 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=54 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=54 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=54 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=55 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930319, ack 3244631035, win 42"
id=65308 trace_id=55 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=55 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=55 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=55 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=55 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=56 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [F.], seq 3490930343, ack 3244631035, win 42"
id=65308 trace_id=56 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=56 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=56 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=56 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=56 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=57 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.215:443->93.145.64.10:46278) tun_id=0.0.0.0 from wan1. flag [.], seq 3490930344, ack 3244631036, win 42"
id=65308 trace_id=57 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-039b4149, reply direction"
id=65308 trace_id=57 func=__ip_session_run_tuple line=3419 msg="DNAT 93.145.64.10:46278->10.30.0.1:46278"
id=65308 trace_id=57 func=npu_handle_session44 line=1206 msg="Trying to offloading session from wan1 to lan-30-dmz, skb.npu_flag=00000000 ses.state=00112306 ses.npu_state=0x00001008"
id=65308 trace_id=57 func=fw_forward_dirty_handler line=437 msg="state=00112306, state2=00004001, npu_state=00001008"
id=65308 trace_id=57 func=av_receive line=444 msg="send to application layer"
id=65308 trace_id=58 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 159.100.4.201:443->10.30.0.1:35760) tun_id=0.0.0.0 from local. flag [.], seq 4030552458, ack 462940159, win 1873"
id=65308 trace_id=58 func=resolve_ip_tuple_fast line=5912 msg="Find an existing session, id-038b710a, reply direction"

itcba · ‎06-05-2024

The strange thing is that the other VIP is working as expected, the only difference is that it's in the same VLAN 10 as the firewall. But internal traffic from VLAN 10 to VLAN 30 is going as expected.

ozkanaltas · ‎06-05-2024

Hi @itcba ,

Can you change the destination interface to VLAN10 instead of VLAN30 on the policy?

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW

itcba · ‎06-05-2024

Nothing changed unfortunately, same error