After enable WCCP the output changed
Any reason the session by not hitting the rule
herewith the diagnostic output
id=20085 trace_id=533 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.32.45.254 via dmz"
id=20085 trace_id=533 func=fw_forward_handler line=686 msg="Allowed by Policy-2: SNAT"
id=20085 trace_id=533 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=534 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [.], seq 290866627, ack 926030060, win 16567"
id=20085 trace_id=534 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=534 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=535 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [F.], seq 290870012, ack 926035147, win 16695"
id=20085 trace_id=535 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=535 func=fw_forward_dirty_handler line=354 msg="blocked by forwarding policy (internal1->dmz), drop"
id=20085 trace_id=535 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=536 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [F.], seq 290870012, ack 926035147, win 16695"
id=20085 trace_id=536 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=536 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=537 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [F.], seq 290870012, ack 926035147, win 16695"
id=20085 trace_id=537 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=537 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=538 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [F.], seq 290870012, ack 926035147, win 16695"
id=20085 trace_id=538 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=538 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=539 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [F.], seq 290870012, ack 926035147, win 16695"
id=20085 trace_id=539 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=539 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=540 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [F.], seq 290870012, ack 926035147, win 16695"
id=20085 trace_id=540 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=540 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=541 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58861->1.1.1.1:443) from internal1. flag [R.], seq 290870013, ack 926035147, win 0"
id=20085 trace_id=541 func=resolve_ip_tuple_fast line=4541 msg="Find an existing session, id-00009b24, original direction"
id=20085 trace_id=541 func=__ip_session_run_tuple line=2597 msg="SNAT 10.10.10.1->10.32.45.50:58861"
id=20085 trace_id=542 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:58892->1.1.1.1:443) from internal1. flag , seq 134236980, ack 0, win 8192"
id=20085 trace_id=542 func=init_ip_session_common line=4631 msg="allocate a new session-00009b84"
id=20085 trace_id=542 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.32.45.254 via dmz"
id=20085 trace_id=542 func=fw_forward_handler line=561 msg="Denied by forward policy check (policy 0)"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Okay what does fwpolicyid2 have? What do you have for WCCP ?
PCNSE
NSE
StrongSwan
policy 2 is permit ip any any
WCCP
- L2 WCCP
- perform diag wccp with positive result
- cache server wccp status is ready
Config
config system wccp
edit "90" set router-id 10.10.10.254 set group-address 0.0.0.0 set server-list 10.10.10.212 255.255.255.255 set authentication disable set forward-method L2 set return-method L2 set assignment-method HASH next end
Interface also done wccp enable
Hi All,
Debug log
before
id=20085 trace_id=2077 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:50315->157.240.10.35:443) from internal1. flag , seq 2021934820, ack 0, win 8192" id=20085 trace_id=2077 func=init_ip_session_common line=4631 msg="allocate a new session-000fd017" id=20085 trace_id=2077 func=iprope_dnat_check line=4633 msg="in-[internal1], out-[]" id=20085 trace_id=2077 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=2077 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.10.10.254 via wan1" id=20085 trace_id=2077 func=iprope_fwd_check line=630 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2077 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=4" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-1, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-10, ret-matched, act-accept" id=20085 trace_id=2077 func=__iprope_user_identity_check line=1668 msg="ret-matched" id=20085 trace_id=2077 func=__iprope_check line=2043 msg="gnum-4e20, check-f8afca50" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2077 func=__iprope_check line=2062 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=2077 func=get_new_addr line=2759 msg="find SNAT: IP-10.10.10.254(from IPPOOL), port-50315" id=20085 trace_id=2077 func=__iprope_check_one_policy line=2014 msg="policy-10 is matched, act-accept" id=20085 trace_id=2077 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-10" id=20085 trace_id=2077 func=iprope_reverse_dnat_check line=800 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2077 func=fw_forward_handler line=686 msg="Allowed by Policy-10: SNAT"
Enable WCCP on policy 10
FGT60D# config firewall policy 10[K[K FGT60D(policy) # edit 10 FGT60D(10) # set wccp enable FGT60D(10) # end
Diag debug show hit policy 11
id=20085 trace_id=2099 func=print_pkt_detail line=4478 msg="vd-root received a packet(proto=6, 10.10.10.1:50331->157.240.10.35:443) from internal1. flag , seq 3202453016, ack 0, win 8192" id=20085 trace_id=2099 func=init_ip_session_common line=4631 msg="allocate a new session-000fd0ce" id=20085 trace_id=2099 func=iprope_dnat_check line=4633 msg="in-[internal1], out-[]" id=20085 trace_id=2099 func=iprope_dnat_check line=4646 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=2099 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.10.10.254 via wan1" id=20085 trace_id=2099 func=iprope_fwd_check line=630 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2099 func=__iprope_tree_check line=543 msg="gnum-100004, use addr/intf hash, len=4" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-1, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-100004 policy-10, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833a msg="checked gnum-100004 policy-11, ret-matched, act-accept" id=20085 trace_id=2099 func=__iprope_user_identity_check line=1668 msg="ret-matched" id=20085 trace_id=2099 func=__iprope_check line=2043 msg="gnum-4e20, check-f8afca50" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check_one_policy line=1833 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2099 func=__iprope_check line=2062 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=2099 func=get_new_addr line=2759 msg="find SNAT: IP-10.10.10.254(from IPPOOL), port-50331" id=20085 trace_id=2099 func=__iprope_check_one_policy line=2014 msg="policy-11 is matched, act-accept" id=20085 trace_id=2099 func=iprope_fwd_auth_check line=682 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-11" id=20085 trace_id=2099 func=iprope_reverse_dnat_check line=800 msg="in-[internal1], out-[wan1], skb_flags-00800000, vid-0" id=20085 trace_id=2099 func=fw_forward_handler line=686 msg="Allowed by Policy-11: SNAT"
Oh okay let's start;
Q: what traffic are you trying to send to WCCP proxy? service-group 90 as you shown above is not for HTTP or HTTPS or 443 so I'm guessing it's a custom service-group.
next, s ? Is service-grp 90 actually on the wccp-server? Is the wccp service reachable from that lan interface ?
reference;
set router-id 10.10.10.254 <----YOUR FW
set server-list 10.10.10.212 255.255.255.255 <---YOUR WCCP SREVER for group 90
Did you run any diag test app wccpd and what doe the wccp server show & for service-group 100?
Are you sure the wccp-server is set for L2 and not GRE? ( again diag debug and statistics from the wccp-server )
And last, did you check for any system global wccp disabled
clid cmd; show full sys global | grep wccp
Too me it would sound like WCCP is not up, client_servers are wrong, or service-group is not honored. I would also reset the fwpolicy just for HTTP or HTTPS if that's what your trying todo
config firewall policy
edit 0
set srcaddr "LOCALLANCLIENTNET"
set dstaddr ALL
set srcint internal1
set dstaddr WAN <---set the real outgoing interface where your internet seats
set service HTTP HTTPS
set action accept
set logtraffic all
set schedule always
set wccp enable
( do not enable NAT )
end
config firewall address
edit LOCALLANCLIENTNET
set subnet xxx.xxx.xxx.xxx/xxx
set comment " HERE'S MY internal lan clients that needs WCCP intercept"
end
Move the new fwpolicy to the top of the list
Ken
PCNSE
NSE
StrongSwan
emnoc wrote:Q: what traffic are you trying to send to WCCP proxy? service-group 90 as you shown above is not for HTTP or HTTPS or 443 so I'm guessing it's a custom service-group.
Yup, we tried to send it to cache server.
Do you mean there is a custom service group for HTTP and HTTPS ?
WCCP output, we verified the WCCP server receive Here I am and I See you
FG60 # diagnose test application wccpd 3
service-90 in vdom-root: num=1, usable=1 cache server ID: len=44, addr=10.10.10.212, weight=0, status=0 rcv_id=32937, usable=1, fm=2, nq=0, dev=7(k7), to=10.10.10.254 ch_no=0, num_router=1: 10.10.10.254
FG60 # diagnose test application wccpd 3[K2
vdom-root: work mode:router working NAT first_phy_id=7 interface list: intf=internal1, gid=7 phy_id=7 service list: service: 90, router_id=10.10.10.254, group=0.0.0.0, auth(no) access access:10.10.10.212/255.255.255.255) forward=2 return=2, assign=1. erouter_id=10.10.10.254
FG60 # diagnose test application wccpd 2[K4wccp2_handle_here_i_am()-827
service-90 in vdom-root: total_servers=1, usable_servers=1, assign_m=1, rtun_m=2, wcid_len=48, rcv_id=32938, ch_no=1 ID=90, type=1, pri=0, pro=6 f=00000031 Port: 80 443 num-routers=1: 10.10.10.254
FG60 #
FG60 #
FG60 #
FG60 # diagnose test application wccpd 4[K5
service-90 in vdom-root: installed
key: ip=10.10.10.212, change-number=3 cache_list: 1 0. 10.10.10.212 primary assignment: key=10.10.10.212 change-number=3 num_routers=1 router element[0]: router_id=10.10.10.254, receive_id=5, ch_no=1 cache-server-num=1, format=not standard: 10.10.10.212 buckets: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
FG60 #
FG60 #
FG60 #
FG60 #
FG60 # wccp2_handle_here_i_am()-827
FG60 #
FG60 # wccp2_handle_here_i_am()-827
FG60 # diagnose test application wccpd 5[K3
service-90 in vdom-root: num=1, usable=1 cache server ID: len=44, addr=10.10.10.212, weight=0, status=0 rcv_id=32940, usable=1, fm=2, nq=0, dev=7(k7), to=10.10.10.254 ch_no=0, num_router=1: 10.10.10.254
FG60 # wccp2_handle_here_i_am()-827 wccp2_handle_here_i_am()-827 wccp2_handle_here_i_am()-827 wccp2_handle_here_i_am()-827
FG60 #
Too me it would sound like WCCP is not up, client_servers are wrong, or service-group is not honored. I would also reset the fwpolicy just for HTTP or HTTPS if that's what your trying todo
Service group not honored mean ?
We tested with service set to http and https but still unable match the policy
NATTED or without nat still same result
NATTED
Hmm, it looks good on what you provided
What do you see when you do the following;
diag test application wccpd 5
diag debug application wccpd -1
PCNSE
NSE
StrongSwan
Hi EMNOC,
Go through the proxy KB, the port unable support WCCP although allow to configure and the WCCP is up.
By change the proxy port, it shown up
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.