Checking traffic through an F60

Leaky5 · ‎06-03-2024

I have a Fortigate F60 and cant quite work something out on it. I dont actually use it much, more of a Cisco guy I am afraid.

I have a Cisco router, which has 2 interfaces which connect to InternalX and InternalZ for ease.

These router are interfaces used to terminate DMVPN tunnels.

The one on internalX works fine, I can run captures on InternalX and the WAN interfaces and see traffic passing both and the DMVPN tunnel through InternalX is up.

But for the one that goes to InternalZ, I see the DMVPN set up packets hit InternalZ, but never see them on the outside interfaces and never see return traffic. It also never hits the remote DMVN router.

There is a rule for each connection through InternalX & Z and they are identical apart from the source IP.

Does anyone have any ideas why this is not passing through the firewall ?

adambomb1219 · ‎06-03-2024

What exactly is the topology here? What mode is the FortiGate in?

Leaky5 · ‎06-03-2024

How do I check what mode it is in pls ?

Debbie_FTNT · ‎06-03-2024

Hey Leaky,

you can see the mode on the default Dashboard, in the system widget:

In your case, as both internalZ and internalX connect to the same Cisco Router, what does your routing look like? Do you have different subnets on those connections? What does the routing table on the FortiGate look like?

You can get a better idea of why FortiGate is not accepting traffic on internalZ with these commands:

#dia de flow filter reset

#dia de flow filter addr <IP of G0/0/0>

#dia de flow show iprope en

#dia de flow show function-name en

#dia de console timestamp en

#dia de flow trace start <number of packets>

#dia de en

Then generate traffic from G0/0/0 to the DMVPN, and check the output in FortiGate CLI; it might show you some error like 'denied by policy 0', meaning no matching policy was found, or 'reverse path check fail, drop' meaning the route back to G0/0/0 IP does not go via internalZ and the traffic is dropped on routing grounds.

I hope this helps!
Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Leaky5 · ‎06-03-2024

Thanks Debbie

Here is the output

S* 0.0.0.0/0 [1/0] via 182.x.x.145, wan1, [1/0]
[1/0] via 202.149.x.x, wan2, [1/0]

2024-06-03 20:46:26 id=65308 trace_id=54 func=print_pkt_detail line=5831 msg="vd-root:0 received a packet(proto=47, 182.76.x.x:0->54.79.x.x:0) tun_id=0.0.0.0 from Airtel_Transit. "
2024-06-03 20:46:26 id=65308 trace_id=54 func=init_ip_session_common line=6009 msg="allocate a new session-01af178f, tun_id=0.0.0.0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_dnat_check line=5277 msg="in-[Airtel_Transit], out-[]"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_dnat_tree_check line=834 msg="len=0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_dnat_check line=5290 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
2024-06-03 20:46:26 id=65308 trace_id=54 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-182.x.x.145 via wan1"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_fwd_check line=769 msg="in-[Airtel_Transit], out-[wan1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_tree_check line=529 msg="gnum-100004, use int hash, slot=69, len=2"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-17, ret-no-match, act-accept"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_check_one_policy line=2027 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_user_identity_check line=1799 msg="ret-matched"
2024-06-03 20:46:26 id=65308 trace_id=54 func=__iprope_check_one_policy line=2244 msg="policy-0 is matched, act-drop"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=iprope_fwd_auth_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
2024-06-03 20:46:26 id=65308 trace_id=54 func=fw_forward_handler line=827 msg="Denied by forward policy check (policy 0)"

Debbie_FTNT · ‎06-03-2024

Hey Leaky5,

ok, FortiGate gives us this error: "Denied by forward policy check (policy 0)".

It essentially does not find a matching policy.

Based on the below:

2024-06-03 20:46:26 id=65308 trace_id=54 func=print_pkt_detail line=5831 msg="vd-root:0 received a packet(proto=47, 182.76.x.x:0->54.79.x.x:0) tun_id=0.0.0.0 from Airtel_Transit. "

[...]

2024-06-03 20:46:26 id=65308 trace_id=54 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-182.x.x.145 via wan1"

FortiGate is looking for a policy with these parameters:

source interface: Airtel_Transit

source address: 182.76.x.x

protocol: GRE

destination interface: wan1
destination address: 54.79.x.x

Can you please double-check you have a policy meeting these criteria?

Or if those criteria are incorrect (wrong destination or outgoing interface for example), can you check the settings on the Cisco and routing on FortiGate?

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

Leaky5 · ‎06-03-2024

Thanks Debbie, I think I may have found the wrong line. I think the top line should be Airtel Transit and Airtel Router, they have GRE allowed as well

I will raise a CR and modify that line

Airtel_WAN_1 is the SD WAN Zone of both the WAN interfaces

hbac · ‎06-03-2024

Hi @Leaky5,

If internalZ is red, it means it is down. Have you tried a different cable? You can also try to connect a different device to internalZ to see if it comes up.

Regards,

Leaky5 · ‎06-03-2024

Hi, sorry red was just my colour coding, the inetrface is up