Hi
My GRE tunel connection is not working after upgrade FortiOS from 7.4.1 > 7.4.3.
Forti shows, that connection is UP but I have no access to network.
Checked policies, diagnosed connection and everything looks fine.
Any idea what to check next? How to monitor?
Best regards,
Rafal
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I tried to upgrade sugested path and direct from my to 7.4.4.. and none worked for me...
diag sys gre list
RX packets:2669, TX packets:1592, TX carrier_err:0 collisions:3719
Can you see the collisions increasing?
It is recommended to capture packets:
GRE:
# diagnose sniffer packet any "proto 47" 4 0 l
# diagnose sniffer packet any "x.x.x.x and icmp" 4 0 l
Thanks
Kangming
Created on 06-02-2024 12:58 AM Edited on 06-02-2024 01:05 AM
result
#diagnose sniffer packet any "icmp" 4 0 l
192.168.1.25 - local PC
192.168.8.3 - device behind GRE
GRE tunel is UP, in GRE tunel we have IPSec - also UP.
I can ping but I get no response from ICMP.
When nothing changed, and I go back to 7.4.1 - ping and all connections are working fine.
My debug:
#diag debug flow filter addr 192.168.8.
#diag debug flow filter proto
#diag debug flow trace start 10
#diag debug flow show function-name enabl
#diag debug console timestamp enabl
#diag debug en
------- RESULT ------------
2024-06-02 09:51:35 id=65308 trace_id=123 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 217.153.10.135:61596->192.168.8.3:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=61596, seq=56027."
2024-06-02 09:51:35 id=65308 trace_id=123 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d06ec, original direction"
2024-06-02 09:51:35 id=65308 trace_id=123 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CoXXXXX, tun_id=0.0.0.0"
2024-06-02 09:51:35 id=65308 trace_id=123 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel ComXXXX, tun_id=212.xxx.xxx, vrf 0"
2024-06-02 09:51:35 id=65308 trace_id=123 func=ipsec_common_output4 line=901 msg="No matching IPsec selector, drop"
2024-06-02 09:51:36 id=65308 trace_id=124 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.8.3:6xxxx->10.xx.xx.:0) tun_id=212.x.x.x from gre_plus. type=0, code=0, id=61597, seq=55959."
2024-06-02 09:51:36 id=65308 trace_id=124 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, reply direction"
2024-06-02 09:51:36 id=65308 trace_id=124 func=ipsec_input4 line=281 msg="anti-spoof check failed, drop"
di2024-06-02 09:51:36 id=65308 trace_id=125 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 10.x.x.x:xxxx->192.168.8.3:xxx) tun_id=0.0.0.0 from local. type=8, code=0, id=61597, seq=55960."
2024-06-02 09:51:36 id=65308 trace_id=125 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, original direction"
2024-06-02 09:51:36 id=65308 trace_id=125 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Coxx, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=125 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-XXX, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=125 func=esp_output4 line=876 msg="IPsec encrypt/auth"
2024-06-02 09:51:36 id=65308 trace_id=125 func=ipsec_output_finish line=666 msg="send to 217.x.x.x via intf-wan1"
2024-06-02 09:51:36 id=65308 trace_id=126 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 217.xx.xx.xx->192.168.8.3:xx) tun_id=0.0.0.0 from local. type=8, code=0, id=61599, seq=56028."
2024-06-02 09:51:36 id=65308 trace_id=126 func=init_ip_session_common line=6063 msg="allocate a new session-036d0adc"
2024-06-02 09:51:36 id=65308 trace_id=126 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface CoXXXX, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=126 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-to-Plus, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=126 func=ipsec_common_output4 line=901 msg="No matching IPsec selector, drop"
2024-06-02 09:51:36 id=65308 trace_id=127 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.8.3:xxx->10.x.x.x:0) tun_id=212.x.x.x from gre_plus. type=0, code=0, id=61597, seq=55960."
2024-06-02 09:51:36 id=65308 trace_id=127 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-036d08f7, reply direction"
2024-06-02 09:51:36 id=65308 trace_id=127 func=ipsec_input4 line=281 msg="anti-spoof check failed, drop"
s2024-06-02 09:51:36 id=65308 trace_id=128 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 192.168.1.25:1->192.168.8.3:2048) tun_id=0.0.0.0 from lan. type=8, code=0, id=1, seq=546."
2024-06-02 09:51:36 id=65308 trace_id=128 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-0363dece, original direction"
2024-06-02 09:51:36 id=65308 trace_id=128 func=npu_handle_session44 line=1224 msg="Trying to offloading session from lan to gre_plus, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000101"
2024-06-02 09:51:36 id=65308 trace_id=128 func=fw_forward_dirty_handler line=442 msg="state=00010204, state2=00000005, npu_state=00000101"
2024-06-02 09:51:36 id=65308 trace_id=128 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Com-to-Plus, tun_id=0.0.0.0"
2024-06-02 09:51:36 id=65308 trace_id=128 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Com-to-Plus, tun_id=212.x.x.x, vrf 0"
2024-06-02 09:51:36 id=65308 trace_id=128 func=esp_output4 line=876 msg="IPsec encrypt/auth"
2024-06-02 09:51:36 id=65308 trace_id=128 func=ipsec_output_finish line=666 msg="send to 217.x.x.x via intf-wan1"
========================
gate # show full system settings | grep asym
set asymroute disable
set asymroute-icmp disable
set asymroute6 disable
set asymroute6-icmp disable
gate # show full | grep src-check
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check disable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set src-check enable
set strict-src-check disable
=======================
MAIN PROBLEM
"anti-spoof check failed, drop"
did you (or TAC) resolve the problem? because i've have the same issue
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1645 | |
1070 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.