Hi,
There is a problem in traffic routing when accessing an external load balancer, namely to a public VIP, which in turn points to a real server located on the local network. For example: 1. A client with an IP address (172.20.16.8) refers to the external VIP address (172.18.45.50), and Source NAT to address (172.18.45.145) occurs. 2. The client's request reaches the Cisco ACE load balancer, after which the definition of the request to the real server (172.20.16.5) is performed, Destination NAT is performed. 3. The Fortigate (outside) interface receives a packet with the direction (172.18.45.145 to 172.20.16.5) 4. The answer from 172.20.16.5 follows to 172.18.45.145 is blocked at the level of VDOM (Office), namely:
# diag ip rtcache list | grep -A1 -B1 172.20.16.5 family=02 tab=254 vf=4 type=02 tos=0 flag=80000200 172.20.16.5@28(tops)->172.18.45.145@25(office) gwy=0.0.0.0 prefsrc=172.18.45.145 ci: ref=3 lastused=0 expire=0 err=00000000 used=2 br=0 pmtu=16436 session info: proto=6 proto_state=02 duration=4 expire=8 timeout=3600 flags=00000010 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255 state=log may_dirty npu synced none statistic(bytes/packets/allow_err): org=180/3/1 reply=0/0/0 tuples=2 tx speed(Bps/kbps): 39/0 rx speed(Bps/kbps): 0/0 orgin->sink: org pre->post, reply pre->post dev=28->42/42->28 gwy=172.21.249.25/0.0.0.0 hook=post dir=org act=snat 172.20.16.8:49596->172.18.45.50:80(172.18.45.145:49596) hook=pre dir=reply act=dnat 172.18.45.50:80->172.18.45.145:49596(172.20.16.8:49596) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=339 auth_info=0 chk_client_info=0 vd=4 serial=2534e580 tos=ff/ff app_list=0 app=0 url_cat=0 dd_type=0 dd_mode=0 npu_state=00000000 npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000 vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0 no_ofld_reason: ofld_fail_reason(kernel, drv): not-established/none, none(0)/none(0) npu_state_err=04/00 total session 3 2019-01-30 19:11:20 id=20085 trace_id=6101 func=resolve_ip_tuple_fast line=4848 msg="Find an existing session, id-24faa24e, reply direction" 2019-01-30 19:11:20 id=20085 trace_id=6101 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-172.18.45.145 via office" 2019-01-30 19:11:20 id=20085 trace_id=6102 func=print_pkt_detail line=4784 msg="vd-office received a packet(proto=6, 172.20.16.5:80->172.18.45.145:59574) from tops. flag [S.], seq 710291362, ack 3789003838, win 14480"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.