Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
rkinsp
New Contributor

FortiGate - SNAT Mismatch - PBR

Hey everyone,

 

We are trying to setup a "weird" scenario for a customer. They have a "one armed" situation where the FortiGate has an internet link and will receive VPN connections, however before routing the traffic to the internet, it has to PBR to another equipment which will analyze the traffic. This traffic will then return to the Fortigate and go out the internet link, with NAT.

 

We are currently simulating the other equipment with a secondary Fortigate.

 

The issue we are having is that the PBR works fine, but the traffic gets dropped due to SNAT Mistmatch. I've enabled asymetrical routing but no go. The only way I could get it to work is if the secondary fortigate (which will be the traffic analyzer) does NAT itself so that the source IP is in the correct interface.

 

Any thoughts?

 

Thanks!

 

Excerpt from diag flow below.

id=20085 trace_id=148 func=resolve_ip_tuple_fast line=5746 msg="Find an existing session, id-00000907, original direction" id=20085 trace_id=148 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.0.20.2 via port2" id=20085 trace_id=148 func=fw_strict_dirty_session_check line=257 msg="SNAT mismatch policy 2 (nat 1, must nat 0, ip 0.0.0.0), drop" id=20085 trace_id=149 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from OL_MPLS. type=8, code=0, id=3354 6, seq=58." id=20085 trace_id=149 func=init_ip_session_common line=5836 msg="allocate a new session-0000090e" id=20085 trace_id=149 func=vf_ip_route_input_common line=2566 msg="Match policy routing id=1: to 10.198.0.1 via ifindex-11" id=20085 trace_id=149 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.198.0.1 via FULL_MESH_198" id=20085 trace_id=149 func=fw_forward_handler line=796 msg="Allowed by Policy-1:" id=20085 trace_id=149 func=ipd_post_route_handler line=490 msg="out FULL_MESH_198 vwl_zone_id 0, state2 0x0, quality 0. " id=20085 trace_id=150 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from BLD_200. type=8, code=0, id=3354 6, seq=58." id=20085 trace_id=150 func=resolve_ip_tuple_fast line=5746 msg="Find an existing session, id-0000090e, original direction" id=20085 trace_id=150 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.0.20.2 via port2" id=20085 trace_id=150 func=fw_strict_dirty_session_check line=257 msg="SNAT mismatch policy 2 (nat 1, must nat 0, ip 0.0.0.0), drop" id=20085 trace_id=151 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from OL_MPLS. type=8, code=0, id=3354 6, seq=59." id=20085 trace_id=151 func=init_ip_session_common line=5836 msg="allocate a new session-0000090f" id=20085 trace_id=151 func=vf_ip_route_input_common line=2566 msg="Match policy routing id=1: to 10.198.0.1 via ifindex-11" id=20085 trace_id=151 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.198.0.1 via FULL_MESH_198" id=20085 trace_id=151 func=fw_forward_handler line=796 msg="Allowed by Policy-1:" id=20085 trace_id=151 func=ipd_post_route_handler line=490 msg="out FULL_MESH_198 vwl_zone_id 0, state2 0x0, quality 0. " id=20085 trace_id=152 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from BLD_200. type=8, code=0, id=3354 6, seq=59." id=20085 trace_id=152 func=resolve_ip_tuple_fast line=5746 msg="Find an existing session, id-0000090f, original direction" id=20085 trace_id=152 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.0.20.2 via port2" id=20085 trace_id=152 func=fw_strict_dirty_session_check line=257 msg="SNAT mismatch policy 2 (nat 1, must nat 0, ip 0.0.0.0), drop" id=20085 trace_id=153 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from OL_MPLS. type=8, code=0, id=3354 6, seq=60." id=20085 trace_id=153 func=init_ip_session_common line=5836 msg="allocate a new session-00000910" id=20085 trace_id=153 func=vf_ip_route_input_common line=2566 msg="Match policy routing id=1: to 10.198.0.1 via ifindex-11" id=20085 trace_id=153 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.198.0.1 via FULL_MESH_198" id=20085 trace_id=153 func=fw_forward_handler line=796 msg="Allowed by Policy-1:" id=20085 trace_id=153 func=ipd_post_route_handler line=490 msg="out FULL_MESH_198 vwl_zone_id 0, state2 0x0, quality 0. " id=20085 trace_id=154 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from BLD_200. type=8, code=0, id=3354 6, seq=60." id=20085 trace_id=154 func=resolve_ip_tuple_fast line=5746 msg="Find an existing session, id-00000910, original direction" id=20085 trace_id=154 func=vf_ip_route_input_common line=2584 msg="find a route: flag=00000000 gw-10.0.20.2 via port2" id=20085 trace_id=154 func=fw_strict_dirty_session_check line=257 msg="SNAT mismatch policy 2 (nat 1, must nat 0, ip 0.0.0.0), drop" id=20085 trace_id=155 func=print_pkt_detail line=5665 msg="vd-root:0 received a packet(proto=1, 192.168.2.1:33546->1.1.1.1:2048) from OL_MPLS. type=8, code=0, id=3354

0 REPLIES 0
Labels
Top Kudoed Authors