Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oliverlag
New Contributor

Can't see traffic exiting via WAN interface

Hi, 

I'm debbugging some traffic from switch interface (lan) to port12 interface (wan). 

Port14 is not an Asic interface: 

 

FGT # diagnose npu np2 list ID PORTS -- ----- 0 port13 0 port14 0 port15 0 port16

 

Despite that I don't see traffic going out of it when I do debug flow of traffic. 

Can someone explain why and how I can do that? (I usually am able to see if on other FGTs)

Thanks!!

 

func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 10.2.13.155:2465->X.X.X.108:80) from switch. flag , seq 103793229, ack 0, win 64512" func=init_ip_session_common line=4469 msg="allocate a new session-048c53d0" func=vf_ip4_route_input line=1600 msg="find a route: flags=00000000 gw-Y.Y.Y.193 via port12" func=get_new_addr line=2485 msg="find SNAT: IP-Y.Y.Y.194(from IPPOOL), port-62881" func=fw_forward_handler line=685 msg="Allowed by Policy-130: SNAT" func=__ip_session_run_tuple line=2471 msg="SNAT 10.2.13.155->Y.Y.Y.194:62881" [size="1"]func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 10.2.13.155:2465->X.X.X.108:80) from switch. flag [.], seq 103793230, ack 3717267935, win 64512"[/size] func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-048c53d0, original direction" func=__ip_session_run_tuple line=2471 msg="SNAT 10.2.13.155->Y.Y.Y.194:62881" [size="1"]func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 10.2.13.155:2465->X.X.X.108:80) from switch. flag [.], seq 103793230, ack 3717267935, win 64512"[/size] func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-048c53d0, original direction" func=__ip_session_run_tuple line=2471 msg="SNAT 10.2.13.155->Y.Y.Y.194:62881" func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 10.2.13.155:2466->X.X.X.84:443) from switch. flag , seq 1083861524, ack 0, win 64512" func=init_ip_session_common line=4469 msg="allocate a new session-048c53d6" func=vf_ip4_route_input line=1600 msg="find a route: flags=00000000 gw-Y.Y.Y.193 via port12" func=get_new_addr line=2485 msg="find SNAT: IP-Y.Y.Y.194(from IPPOOL), port-62882" func=fw_forward_handler line=685 msg="Allowed by Policy-130: SNAT"

 

diag sniff:  (I see only switch interface)

 

4.414487 switch -- 10.2.13.155.2686 -> X.X.X.108.80: psh 1669007057 ack 1616899503 4.475712 switch -- X.X.X.108.80 -> 10.2.13.155.2686: psh 1616899503 ack 1669007626 4.478615 switch -- 10.2.13.155.2689 -> X.X.X.84.443: syn 456152259 4.642110 switch -- 10.2.13.155.2686 -> X.X.X.108.80: ack 1616899877 7.485525 switch -- 10.2.13.155.2689 -> X.X.X.84.443: syn 456152259 13.500118 switch -- 10.2.13.155.2689 -> X.X.X.84.443: syn 456152259

 

 

4 REPLIES 4
emnoc
Esteemed Contributor III

Qs:

 

[ul]
  • What model and fortiOS version?[/ul][ul]
  • Have you had any other problems or upgrades ( i.e 5.2.4 )[/ul][ul]
  • or is this a new problem?[/ul][ul]
  • Are you running a virtual-cluster ?
  • have you check for PBR or static routes or balckhole routes?[/ul]

     

    When you monitor firewall session table are you finding a match in the session table ?

    hint: use the diag system session  filter

     

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    oliverlag

    emnoc wrote:

    Qs:

     

    [ul]
  • What model and fortiOS version?[/ul][ul]
  • Have you had any other problems or upgrades ( i.e 5.2.4 )[/ul][ul]
  • or is this a new problem?[/ul][ul]
  • Are you running a virtual-cluster ?
  • have you check for PBR or static routes or balckhole routes?[/ul]

     

    When you monitor firewall session table are you finding a match in the session table ?

    hint: use the diag system session  filter

     

     

  •  

    FGT200B, 5.0.12

    Never noticed this before, so no idea if it's a new problem or an old one

    I'm not running virtual-cluster

    Yup, not PBR or specific route for the traffic I'm checking. Traffic follows 0.0.0.0/0 via port12

     

     

    oliverlag

    emnoc wrote:

    When you monitor firewall session table are you finding a match in the session table ?

    hint: use the diag system session  filter

     

     

    yes.. already checked that.. I see the session I need.. from in to out and from out to in. 

     

    Here I don't understand why I don't clearly see traffic going out via port12. 

    It goes out but logs does not show it

     

    oliverlag
    New Contributor

    if someone can help here .. tnx

    Labels
    Top Kudoed Authors