I have a Fortigate F60 and cant quite work something out on it. I dont actually use it much, more of a Cisco guy I am afraid.
I have a Cisco router, which has 2 interfaces which connect to InternalX and InternalZ for ease.
These router are interfaces used to terminate DMVPN tunnels.
The one on internalX works fine, I can run captures on InternalX and the WAN interfaces and see traffic passing both and the DMVPN tunnel through InternalX is up.
But for the one that goes to InternalZ, I see the DMVPN set up packets hit InternalZ, but never see them on the outside interfaces and never see return traffic. It also never hits the remote DMVN router.
There is a rule for each connection through InternalX & Z and they are identical apart from the source IP.
Does anyone have any ideas why this is not passing through the firewall ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What exactly is the topology here? What mode is the FortiGate in?
How do I check what mode it is in pls ?
Hey Leaky,
you can see the mode on the default Dashboard, in the system widget:
In your case, as both internalZ and internalX connect to the same Cisco Router, what does your routing look like? Do you have different subnets on those connections? What does the routing table on the FortiGate look like?
You can get a better idea of why FortiGate is not accepting traffic on internalZ with these commands:
#dia de flow filter reset
#dia de flow filter addr <IP of G0/0/0>
#dia de flow show iprope en
#dia de flow show function-name en
#dia de console timestamp en
#dia de flow trace start <number of packets>
#dia de en
Then generate traffic from G0/0/0 to the DMVPN, and check the output in FortiGate CLI; it might show you some error like 'denied by policy 0', meaning no matching policy was found, or 'reverse path check fail, drop' meaning the route back to G0/0/0 IP does not go via internalZ and the traffic is dropped on routing grounds.
I hope this helps!
Cheers,
Debbie
Thanks Debbie
Here is the output
S* 0.0.0.0/0 [1/0] via 182.x.x.145, wan1, [1/0]
[1/0] via 202.149.x.x, wan2, [1/0]
2024-06-03 20:46:26 id=65308 trace_id=54 func=print_pkt_detail line=5831 msg="vd-root:0 received a packet(proto=47, 182.76.x.x:0->54.79.x.x:0) tun_id=0.0.0.0 from Airtel_Transit. "
2024-06-03 20:46:26 id=65308 trace_id=54 func=init_ip_session_common line=6009 msg="allocate a new session-01af178f, tun_id=0.0.0.0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_dnat_check line=5277 msg="in-[Airtel_Transit], out-[]"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_dnat_check line=5290 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-06-03 20:46:26 id=65308 trace_id=54 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-182.x.x.145 via wan1"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_fwd_check line=769 msg="in-[Airtel_Transit], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=69, len=2"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-17, ret-no-match, act-accept"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_user_identity_check line=1799 msg="ret-matched"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_check_one_policy line=2244 msg="policy-0 is matched, act-drop"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_fwd_auth_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"
Hey Leaky5,
ok, FortiGate gives us this error: "Denied by forward policy check (policy 0)".
It essentially does not find a matching policy.
Based on the below:
2024-06-03 20:46:26 id=65308 trace_id=54 func=print_pkt_detail line=5831 msg="vd-root:0 received a packet(proto=47, 182.76.x.x:0->54.79.x.x:0) tun_id=0.0.0.0 from Airtel_Transit. "
[...]
2024-06-03 20:46:26 id=65308 trace_id=54 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-182.x.x.145 via wan1"
FortiGate is looking for a policy with these parameters:
source interface: Airtel_Transit
source address: 182.76.x.x
protocol: GRE
destination interface: wan1
destination address: 54.79.x.x
Can you please double-check you have a policy meeting these criteria?
Or if those criteria are incorrect (wrong destination or outgoing interface for example), can you check the settings on the Cisco and routing on FortiGate?
Cheers,
Debbie
Created on 06-03-2024 08:52 AM Edited on 06-03-2024 08:57 AM
Thanks Debbie, I think I may have found the wrong line. I think the top line should be Airtel Transit and Airtel Router, they have GRE allowed as well
I will raise a CR and modify that line
Airtel_WAN_1 is the SD WAN Zone of both the WAN interfaces
Hi @Leaky5,
If internalZ is red, it means it is down. Have you tried a different cable? You can also try to connect a different device to internalZ to see if it comes up.
Regards,
Hi, sorry red was just my colour coding, the inetrface is up
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.