Having an issue with FGT-v6-build1911 running in KVM. Running this under a trial license for some lab builds and training purposes.
When I create a new instance traffic passes for a short amount of time and I can see route lookup and policy lookups taking place. Then after some time flows get stuck at route lookup and no traffic is able to pass the FW. Example of a flow trace when this happens:
id=20085 trace_id=2 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id=" id=20085 trace_id=2 func=init_ip_session_common line=5898 msg="allocate a new session-00001632" id=20085 trace_id=2 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3" id=20085 trace_id=3 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id=" id=20085 trace_id=3 func=init_ip_session_common line=5898 msg="allocate a new session-00001636" id=20085 trace_id=3 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3"
Only workaround I have is to backup the config and restore it to a new instance which allows traffic to pass through again for some limited amount of time. I've tried clearing all sessions with no luck.
Any help would be appreciated. I can only think it's a bug with my setup or a limitation with the trial license I'm not aware of.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi nshar
Please share me the output for,
diag sniffer packet any "host x.x.x.x" 4 0 a
replace x.x.x.x with destination IP and try to the destination and share the output
Hey @nshar,
thank you for sharing that debug flow snippet.
This is ICMP traffic (a ping?), correct? Do you have the same issue with other traffic? How long does it roughly take for the FortiGate to stop forwarding the traffic?
I would suggest you check the following:
- dia sniffer output, as @akumarr suggested, to verify if traffic is leaving the FortiGate and perhaps being dropped somewhere behind it
- DoS policies on the FortiGate, if you have them enabled -> they could cause ping to be dropped after a certain threshold is reached
- any forward traffic logs you have, to see if the traffic is denied for some reason or dropped by implicit deny
-> you might need to enable logging on implicit deny (right-click on the log setting for implicit deny in the policy table, then select 'All' and save)
-> debug flow might show some information regarding traffic being denied or dropped by implicit deny; if nothing is visible in debug flow, this suggests the issue might not be with policy matching but something else
A rough guide for initial troubleshooting for potentially blocked traffic may be found here: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Initial-troubleshooting-steps-for-tr...
Hope this helps :)
I have same problem...the traffic not even logged...I did enabled log on denied rule and allow rule but no log.
From my PC can ping the WAN interface of the FGT that is it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.