Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tomeks
New Contributor II

Fortigate asymmetric routing

Where in Fortigate can I observe that the connection has been blocked due to asymmetric routing? I can't see log entries.

11 REPLIES 11
akristof
Staff
Staff

Hello,

 

Thank you for your question. You will not see explicit log related to asymmetric routing. You might see logs related to "No session match".  The best way how to confirm asymmetric routing is with debug flow:

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Adrian
tomeks
New Contributor II

What I miss after the change from Barracuda to Fortigate is the lack of one place where I can see why the connection failed. Diagnose sniffer will also often fail to show traffic if it is performed by SPU

akristof

Hi.

 

Yes. But if traffic does not match any known session, then the packet is visible in packet capture or debug and in many scenarios, no-session-matched log is generated.

Adrian
tomeks
New Contributor II

I no see in log no-session-matched. Maybe I'm looking in the wrong place?

akristof

Hi,

 

No-session-matched logs are under forward-traffic logs.

Adrian
tomeks
New Contributor II

I no see in forward-traffic logs
In sniffer see only ping request

In debug flow 

id=20085 trace_id=1 func=print_pkt_detail line=5783 msg="vd-root:0 received a packet(proto=1, X.X.X.X:1->Y.Y.Y.Y:2048) from vlan1. type=8, code=0, id=1, seq=9621."
id=20085 trace_id=1 func=init_ip_session_common line=5955 msg="allocate a new session-004b3c0b"
id=20085 trace_id=1 func=ip_route_input_slow line=2266 msg="reverse path check fail, drop"
id=20085 trace_id=1 func=ip_session_handle_no_dst line=6041 msg="trace"

Debbie_FTNT

Hey tomeks,

that debug flow indicates that FortiGate gets a packet from x.x.x.x on vlan1. it will check the reverse route (what route points TO x.x.x.x), and apparently the reverse route does not go via vlan1.

This causes the 'reverse path check fail' error.
Are you sure you have asymmetric routing enabled on the FortiGate?

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
tomeks
New Contributor II

I don't have asymmetric routing turned on, and for security reasons, I don't want to have it turned on. My question was, in what logs can I see that such a problem has occurred. In diagnose debug I can only see in real time.

tomeks
New Contributor II

That is very bad. Sometimes the problem can arise when I do not have access to the fortigate.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors