I try to perform a name service lookup.
The packet sniffer shows the incoming packet alright.
2.949054 192.168.98.103.57575 -> 172.30.2.24.53: udp 37
3.312285 192.168.98.103.60698 -> 172.30.2.24.53: udp 37
3.401912 192.168.98.103.35894 -> 172.30.2.24.53: udp 31
3.408263 192.168.98.103.46152 -> 172.30.2.24.53: udp 34
3.684756 192.168.98.103.36344 -> 172.30.2.24.53: udp 37
3.923974 192.168.98.103.48066 -> 172.30.2.24.53: udp 37
4.166572 192.168.98.103.34428 -> 172.30.2.24.53: udp 31
4.222811 192.168.98.103.34984 -> 172.30.2.24.53: udp 31
4.238474 192.168.98.103.34193 -> 172.30.2.24.53: udp 31
Since the DNS lookup is not working (not arriving at the server) I try flow debugging
FW1 (vdc) # diag debug enable
FW1 (vdc) # diag debug flow filter saddr 192.168.98.103
FW1 (vdc) # diag debug flow filter daddr 172.30.2.24
FW1 (vdc) # diag debug flow filter dport 53
FW1 (vdc) # diag debug flow show console enable
show trace messages on console
FW1 (vdc) # diag debug flow trace start 10
FW1 (vdc) #
It shows nothing.
Note that the traffic to the other nameserver at 172.30.2.25 does go through and also shows a flow being established.
Why could that be?
Thanks.
Marki
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Well, it turns out that the Checkpoint firewall in front of the Fortigate seems to have messed up packets somehow after some network layout changes. Probably the Fortigate dropped those packets at a very early stage and even before reaching the flow engine. After reboot of the Checkpoint firewall everything seems to be back in order.
Do you have a pcap? or more info on how the packet was being modified?
Also, have you experience it again?
I have 5.2.4 and I think I'm experiencing the same issue...
JohnAgora wrote:Do you have a pcap? or more info on how the packet was being modified?
Also, have you experience it again?
I have 5.2.4 and I think I'm experiencing the same issue...
No packet captures sorry. As I said I don't think it was the Fortigate's fault, however there could have been some explicit error messages somewhere. Or I just didn't find them.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.