Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aguerriero
Contributor II

Created on ‎07-31-2023 01:17 PM

Fortigate SSLVPN client/server will not pass traffic unless "diag firewall iprope flush" is issued.

This is across multiple firewall client types running 7.0.12 and 7.2.5.

The VPN head end is running 7.2.5.

When configuring the fortigate as an SSL VPN Client connecting to another fortigate acting as an SSL VPN concentrator the tunnel will come up but traffic will not pass until the command "diag firewall iprope flush" is issued from CLI. Traffic will immediately start passing as soon as the command is issued.

If the device is rebooted the device will again not be able to pass traffic until the command is run.

I guess this command could be scheduled hourly but I would rather identify the issue so the command does not need to be entered at all.

Labels:
1168
0 Kudos
11 REPLIES 11
aguerriero
Contributor II

Created on ‎07-31-2023 06:30 PM

I created an automation stitch that will issue the cli command "diag firewall iprope flush" for log event  interface status change log id 20099 and interface status of UP.

For it to it to work consistently I had to issue the same action twice with ~15 and ~7.5 seconds of delay between trigger and actions.

964
0 Kudos
srajeswaran
Staff
Staff
In response to aguerriero

Created on ‎07-31-2023 11:23 PM

Great finding the workaround. Can you collect "diagnose firewall iprope list 00100004 " during the issue state /before flushing the iprope table and then collect same command after the fix?

We can check if there is any changes to the policies and then investigate further.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

947
0 Kudos
aguerriero
Contributor II
In response to srajeswaran

Created on ‎08-01-2023 11:18 AM

I eran the list and then the flush. From the image below it looks like I don't get anything from that list command after flushing. 

 

Capture234.PNG

925
0 Kudos
aguerriero
Contributor II
In response to aguerriero

Created on ‎08-01-2023 02:59 PM Edited on ‎08-01-2023 03:00 PM

Something peculiar. I enabled local-in policy and it appears that my ssl interface does not ever get policies created for it.

097b3fd3-e630-4cef-9fae-5f754bcf317f.PNG


If I enable HA mode and set it to a-p I now have the option to set a management IP address.  If I manually set the management IP, everything works as expected and I never have to flush iprope. Even though the IP address is being set by the IP pool in the hubs portal configuration, because there isn't a manual IP address assignment on the tunnel interface local in policies are never created.

Here is a screenshot after enabling HA A-P and manually setting a management ip.


d6d548b1-839d-4f84-a909-ee593afca01c.PNG

e645a195-5a6b-4268-929f-38cc3c922a5b.PNG



You could say that running a standalone in ha a-p mode and manually setting an IP is a workaround. But I have over 900 standalone spoke firewalls.

913
0 Kudos
srajeswaran
Staff
Staff
In response to aguerriero

Created on ‎08-01-2023 11:04 PM

Interesting finding. This needs remote session to understand better. I would suggest to open a support ticket to verify/validate the configuration according to your design/connectivity .

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

894
0 Kudos
aguerriero
Contributor II
In response to srajeswaran

Created on ‎08-02-2023 09:00 PM

I will submit a TAC case based on your recommendation.

Thank you.

868
0 Kudos
srajeswaran
Staff
Staff
In response to aguerriero

Created on ‎08-01-2023 10:59 PM

With no entries in iprope list traffic is not expected to work, are you sure the traffic was working when you collected the output (after executing the flush command)?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

899
aguerriero
Contributor II
In response to srajeswaran

Created on ‎08-02-2023 09:10 AM Edited on ‎08-02-2023 09:13 AM

Traffic to the fortigate itself doesn't require a standard policy. From what I see, the fortigate relies on those check boxes in the admin section to create local-in policies. Those policies never get created because the fortigate doesn't have an IP set, even though it has received an address from the portal through ip pool configuration. It exists as a directly connect route associated with the tunnel interface.

The proof is in the repeatability. After a clean reboot it does not work until I issue an iprope flush. Assigning a management IP address manually through CLI works, but you can only assign a management ip address if the system is running in an ha mode other than standalone.

 

routing table.PNG





Admin access.PNG

878
0 Kudos
pgautam
Staff
Staff

Created on ‎07-31-2023 11:25 PM

Hi,

 

Please share the below details at the time of the traffic issue:-

get router info routing-table details <src IP>
get router info routing-table details <dst IP>
++ Do you have any policy route or SDWAN configured at the client site?

 

dia sniffer packet any "host <server_IP>" 4 0 a 

 

Regards

Priyanka

 

946
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.