- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- FortiGate - Not forwarding traffic
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiGate - Not forwarding traffic
Having an issue with FGT-v6-build1911 running in KVM. Running this under a trial license for some lab builds and training purposes.
When I create a new instance traffic passes for a short amount of time and I can see route lookup and policy lookups taking place. Then after some time flows get stuck at route lookup and no traffic is able to pass the FW. Example of a flow trace when this happens:
id=20085 trace_id=2 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id=" id=20085 trace_id=2 func=init_ip_session_common line=5898 msg="allocate a new session-00001632" id=20085 trace_id=2 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3" id=20085 trace_id=3 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=1, 10.0.2.10:22026->10.0.1.10:2048) from ToRemote. type=8, code=0, id=" id=20085 trace_id=3 func=init_ip_session_common line=5898 msg="allocate a new session-00001636" id=20085 trace_id=3 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.0.1.10 via port3"
Only workaround I have is to backup the config and restore it to a new instance which allows traffic to pass through again for some limited amount of time. I've tried clearing all sessions with no luck.
Any help would be appreciated. I can only think it's a bug with my setup or a limitation with the trial license I'm not aware of.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi nshar
Please share me the output for,
diag sniffer packet any "host x.x.x.x" 4 0 a
replace x.x.x.x with destination IP and try to the destination and share the output
Best regards,
ARUNKUMAR.R.
ARUNKUMAR.R.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @nshar,
thank you for sharing that debug flow snippet.
This is ICMP traffic (a ping?), correct? Do you have the same issue with other traffic? How long does it roughly take for the FortiGate to stop forwarding the traffic?
I would suggest you check the following:
- dia sniffer output, as @akumarr suggested, to verify if traffic is leaving the FortiGate and perhaps being dropped somewhere behind it
- DoS policies on the FortiGate, if you have them enabled -> they could cause ping to be dropped after a certain threshold is reached
- any forward traffic logs you have, to see if the traffic is denied for some reason or dropped by implicit deny
-> you might need to enable logging on implicit deny (right-click on the log setting for implicit deny in the policy table, then select 'All' and save)
-> debug flow might show some information regarding traffic being denied or dropped by implicit deny; if nothing is visible in debug flow, this suggests the issue might not be with policy matching but something else
A rough guide for initial troubleshooting for potentially blocked traffic may be found here: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Initial-troubleshooting-steps-for-tr...
Hope this helps :)
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have same problem...the traffic not even logged...I did enabled log on denied rule and allow rule but no log.
From my PC can ping the WAN interface of the FGT that is it.
Related Posts
- Forticlient Radius Authentication Across IPSEC Tunnel 7 Views
- Routing Issue on FortiGate 7.2.8 145 Views
- Moving away from Software Switches -... 141 Views
- Dial-up IPsec tunnels with same source... 436 Views
- ipv6 - internal lan interface cannot... 183 Views
Labels
-
FortiGate
6,444 -
FortiClient
1,285 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
326 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
65 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
53 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.