Having an issue with FGT-v6-build1911 running in KVM. Running this under a trial license for some lab builds and training purposes.
When I create a new instance traffic passes for a short amount of time and I can see route lookup and policy lookups taking place. Then after some time flows get stuck at route lookup and no traffic is able to pass the FW. Example of a flow trace when this happens:
id=20085 trace_id=2 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id="
id=20085 trace_id=2 func=init_ip_session_common line=5898 msg="allocate a new session-00001632"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3"
id=20085 trace_id=3 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id="
id=20085 trace_id=3 func=init_ip_session_common line=5898 msg="allocate a new session-00001636"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3"
Only workaround I have is to backup the config and restore it to a new instance which allows traffic to pass through again for some limited amount of time. I've tried clearing all sessions with no luck.
Any help would be appreciated. I can only think it's a bug with my setup or a limitation with the trial license I'm not aware of.
This is ICMP traffic (a ping?), correct? Do you have the same issue with other traffic? How long does it roughly take for the FortiGate to stop forwarding the traffic?
I would suggest you check the following:
- dia sniffer output, as @akumarr suggested, to verify if traffic is leaving the FortiGate and perhaps being dropped somewhere behind it - DoS policies on the FortiGate, if you have them enabled -> they could cause ping to be dropped after a certain threshold is reached - any forward traffic logs you have, to see if the traffic is denied for some reason or dropped by implicit deny
-> you might need to enable logging on implicit deny (right-click on the log setting for implicit deny in the policy table, then select 'All' and save) -> debug flow might show some information regarding traffic being denied or dropped by implicit deny; if nothing is visible in debug flow, this suggests the issue might not be with policy matching but something else
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.