Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Destination Interface unknown-0

Hello experts,

today we deployed FGT200E to part of the network. We terminated two parts of the network - vlan666 and vlan777 - both networks are WiFi and both have DHCP on FGT. DNS is Google DNS Everything works ok, only in the log we have very often a message: Deny-policy violation - dst iface unknow-0. Although it is legitimate traffic to be routed to the internet. No BGP or OSPF is used, NAT is performed on an IP pool on a public IP address.

 

config firewall policy
    edit 26
        set name "UINIFI Guest->WAN"
        set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f
        set srcintf "VLAN777"
        set dstintf "wan1"
        set srcaddr "UNIFI Guest"
        set dstaddr "all"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set dscp-match disable
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool enable
        set poolname "NAT_UniFi_GUEST"
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-type single
        set av-profile ''
        set webfilter-profile "UniFiGuest"
        set dnsfilter-profile ''
        set spamfilter-profile ''
        set dlp-sensor ''
        set ips-sensor ''
        set application-list "UniFiGuest"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set ssh-filter-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set match-vip disable
    next
end

 

# diag debug reset
# diag debug enable
# diag debug flow filter dport 80
# diag debug flow filter saddr 10.9.8.118
# diag debug flow trace start 100


FG200E-xxx # id=20085 trace_id=1 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=1 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=2 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=2 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=3 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=3 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=4 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=4 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=5 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=5 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=6 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=6 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=7 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=7 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=8 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=8 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=9 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=9 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=10 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=10 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=11 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=11 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=12 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=12 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=12 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=13 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag , seq 3290449723, ack 0, win 65535"
id=20085 trace_id=13 func=init_ip_session_common line=5544 msg="allocate a new session-0002041f"
id=20085 trace_id=13 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=13 func=fw_forward_handler line=751 msg="Allowed by Policy-26: AV SNAT"
id=20085 trace_id=13 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=13 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=14 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=14 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=14 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=14 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=14 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=15 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag , seq 261364636, ack 0, win 14600"
id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=15 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=16 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=16 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=16 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=16 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=16 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=17 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=17 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=18 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=18 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=19 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364838, ack 1997785115, win 3918"
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=19 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=20 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449925, ack 3398102765, win 1369"
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=20 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=20 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=21 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=21 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=22 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=22 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=23 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=23 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=23 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=24 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=24 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=24 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=25 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=26 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=26 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=26 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=27 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=27 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=27 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=28 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=28 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=28 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=29 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=29 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=29 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=30 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=30 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=30 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=31 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=31 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=31 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=32 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=32 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=32 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=33 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=33 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=33 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=34 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=34 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=34 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=35 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=35 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=35 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=36 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=36 func=fw_forward_dirty_handler line=335 msg="no session matched"

 

I have read a few similar posts, but there is no definitive solution. Does anyone have any idea what else to check? In my opinion, this is a standard setup that always works. FortiOS 6.0.3

Thank you, Jirka

 

1 Solution
emnoc
Esteemed Contributor III

The message is informational and mean things causes destination unknown ?

 

   asymmetrical

   interface  link-state change

   routing path and protocol changes

   vpn state  changes

 

Typically something external to the firewall. It means you have a network, link or path issues

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
27 REPLIES 27
Mr_Energy

Hi Jirka, I have axactly the same issue with those unknow-0 destination interfaces and followed all recommend changes which were mentioned in this chat without success as well. Did you meanwhile find a solution? I use FG81E with OS  6.0.4.

Mr_Energy

I have axactly the same issue with those unknow-0 destination interfaces. Did you meanwhile find a solution? I use FG81E with OS  6.0.4.

Pablo4391

Hi! sorry but in the end, how did you solve it ?? I'm having the same problem of "no session matched" fortigate and I figure out an unknown-0 interface.

Thank you!

Jirka1

Hi Pablo, TAC told me that I have try reset to default and setup box again...and it worked! Good luck Jirka
Pablo4391

ufff! I can not believe they told you that. :(

Thanks for the quick reply.

FortiLearner

I'm experiencing the same issue.

There has to be another way, by resetting to default and restore means that you just cleared something.

 

anyone else resolve this issue another way?

 

emnoc
Esteemed Contributor III

The message is informational and mean things causes destination unknown ?

 

   asymmetrical

   interface  link-state change

   routing path and protocol changes

   vpn state  changes

 

Typically something external to the firewall. It means you have a network, link or path issues

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tanr
Valued Contributor II

Ken, could the STP noise I've been seeing on some FortiSwitch ports directly connected to end users, like the logs below, be resulting in the destination unknown?  Been trying to track down what might be causing it.

 

    primary port port2 instance 0 changed role from disabled to designated

    primary port port2 instance 0 changed state from forwarding to discarding

    primary port port2 instance 0 changed role from designated to disabled

    primary port port2 instance 0 changed state from discarding to forwarding

    primary port port2 instance 0 changed role from disabled to designated 

    primary port port2 instance 0 changed role from designated to disabled

    primary port port2 instance 0 changed role from disabled to designated

 

EDIT: or does this mean I've done something silly with my FortiSwitch config...?   

        STP, Edge Port, and STP BPDU Guard enabled for these edge ports.

Labels
Top Kudoed Authors