Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- GRE tunnel ExtraIP.com
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GRE tunnel ExtraIP.com
Hello,
I am trying to setup a GRE tunnel with ExtraIP.com. They provide a few documents about different firewalls, but not fortigate.
I've setup a tunnel with the following config:
config system gre-tunnel
edit "ExtraIP"
set interface "VLAN100" //VLAN 100 is my WAN connection from my provider
set remote-gw (REMOTE GW OF EXTRAIP)
set local-gw (MY PUBLIC IP)
next
endconfig system interface
edit "ExtraIP"
set type tunnel
set interface "ExtraIP"
set allowaccess ping
set alias "ExtraIP GRE"
set ip (SECOND IP OF /29)/32
next
end
When I check the diag sniffer with this command
diag sniffer packet wan1 "host (ExtraIP Gateway)" 4
I get only packets comming in, there are no packets going out
0.593645 VLAN100 in (ExtraIP GW) -> (My Public IP): gre: length 50 proto-800
1.929499 VLAN100 in (ExtraIP GW) -> (My Public IP): gre: length 70 proto-800
And when I assign port 443 via VIP and firewall policy to a linux server with nginx, I get ERR_CONNECTION_TIMED_OUT
Can anyone help me troubleshoot, I've been busy for over 2 hours without any luck
Labels:
- Labels:
-
FortiGate
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jesper
Did you configure the required routes and firewall policies?
You can take example from this tech tip.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi AEK,
I do have a route with destination the ExtraIP Gateway, that is routed through vlan100 (WAN).
I don't want my servers talking to the outside world with the extra ip's, I only want some HTTPS servers being port-forwarded. The servers can talk with my ISP public ip to the outside world, so I have no 0.0.0.0 route to the extraip tunnel.
What I do have working is that on my local pc, I am able to go to the first available IP in my subnet and my webserver is reachable. but to the outside world it is not available.
I have the following firewall rules:
LAN to ExtraIP
ExtraIP to LAN
Do I need to add these as well, or does this not matter:
ExtraIP to VLAN100
VLAN100 to ExtraIP
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you get when you run these commands?
get router info routing-table all # check if you see the GRE route
diag sys gre list
diag netlink interface list | grep -A1 "ExtraIP"
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
get router info routing-table all:
S 185.216.160.***/32 [10/0] via 62.45.(ISP GATEWAY), VLAN100 <--- ExtraIP Gateway
S 185.216.161.***/29 [10/0] is directly connected, ExtraIP <---- My subnet
diag sys gre list:
IPv4:
vd=0 devname=ExtraIP devindex=21 ifindex=24
saddr=185.216.161.(My Subnet) daddr=185.216.160.(Remote ExtraIP) ref=0
key=0/0 flags=0/0 dscp-copy=0 diffservcode=000000
RX bytes:4820535 (4.5 Mb) TX bytes:14344 (14.0 kb);
RX packets:61343, TX packets:170, TX carrier_err:2 collisions:0
npu-info: asic_offload=0, enc/dec=0/0, enc_bk=0/0/0, dec_bk=0/0/0
total tunnel = 1diag netlink interface list | grep -A1 "ExtraIP":
if=ExtraIP family=00 type=778 index=24 mtu=1476 link=0 master=0
ref=12 state=start present fw_flags=0 flags=up p2p run noarp multicast
Created on 05-07-2025 03:54 AM Edited on 05-07-2025 04:00 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I do the following:
diag sniffer packet any 'host (FIRST USABLE IP HERE)' 4
And visit that IP from my mobile with 5G internet,
I do see incomming packets from my 5g internet to that first usable ip incomming, but it still gives me a ERR_CONNECTION_TIMED_OUT.
Even though there is a firewall rule, ExtraIP -> Server Network that has a VIP in destination with 443 linking to a IP that works with 443.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try with diag debug flow and it should reveal why the traffic is blocked.
diag debug enable
diag debug flow filter addr ...
diag debug console timestamp enable
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 100
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a the output of that.
Spoiler
2025-05-07 13:49:53 id=20085 trace_id=242 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=6, 77.63.116.194:7722->185.216.161.122:443) from ExtraIP. flag [S], seq 568359894, ack 0, win 65535"
2025-05-07 13:49:53 id=20085 trace_id=242 func=init_ip_session_common line=5981 msg="allocate a new session-0003e5ba"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_dnat_check line=5121 msg="in-[ExtraIP], out-[]"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_dnat_tree_check line=830 msg="len=1"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_dnat_policy line=4994 msg="checking gnum-100000 policy-7"
2025-05-07 13:49:53 id=20085 trace_id=242 func=get_new_addr line=1193 msg="find DNAT: IP-10.81.20.50, port-443"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_dnat_policy line=5077 msg="matched policy-7, act=accept, vip=7, flag=100, sflag=2000020"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000020, vid-7, ret-matched, act-accept, flag-00000100"
2025-05-07 13:49:53 id=20085 trace_id=242 func=fw_pre_route_handler line=181 msg="VIP-10.81.20.50:443, outdev-ExtraIP"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__ip_session_run_tuple line=3522 msg="DNAT 185.216.161.122:443->10.81.20.50:443"
2025-05-07 13:49:53 id=20085 trace_id=242 func=vf_ip_route_input_common line=2615 msg="find a route: flag=00000000 gw-10.81.20.50 via Server Network"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_fwd_check line=765 msg="in-[ExtraIP], out-[Server Network], skb_flags-020000e0, vid-7, app_id: 0, url_cat_id: 0"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-22, ret-matched, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_user_identity_check line=1777 msg="ret-matched"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check line=2203 msg="gnum-4e20, check-5f023d28"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check line=2222 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=2174 msg="policy-22 is matched, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-22"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_fwd_auth_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-22"
2025-05-07 13:49:53 id=20085 trace_id=242 func=fw_forward_handler line=803 msg="Allowed by Policy-22:"
2025-05-07 13:49:53 id=20085 trace_id=242 func=ipd_post_route_handler line=490 msg="out Server Network vwl_zone_id 0, state2 0x0, quality 0.
"
2025-05-07 13:49:53 id=20085 trace_id=243 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=6, 10.81.20.50:443->77.63.116.194:7722) from Server Network. flag [S.], seq 2230821619, ack 568359895, win 65535"
2025-05-07 13:49:53 id=20085 trace_id=243 func=resolve_ip_tuple_fast line=5891 msg="Find an existing session, id-0003e5ba, reply direction"
2025-05-07 13:49:53 id=20085 trace_id=243 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-62.45.170.129 via VLAN100"
2025-05-07 13:49:53 id=20085 trace_id=243 func=npu_handle_session44 line=1223 msg="Trying to offloading session from Server Network to VLAN100, skb.npu_flag=00000400 ses.state=00210200 ses.npu_state=0x00040000"
2025-05-07 13:49:53 id=20085 trace_id=243 func=fw_forward_dirty_handler line=397 msg="state=00210200, state2=00000000, npu_state=00040000"
2025-05-07 13:49:53 id=20085 trace_id=243 func=__ip_session_run_tuple line=3508 msg="SNAT 10.81.20.50->185.216.161.122:443"
2025-05-07 13:49:53 id=20085 trace_id=243 func=ipd_post_route_handler line=490 msg="out VLAN100 vwl_zone_id 0, state2 0x0, quality 0.
"
2025-05-07 13:49:53 id=20085 trace_id=242 func=init_ip_session_common line=5981 msg="allocate a new session-0003e5ba"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_dnat_check line=5121 msg="in-[ExtraIP], out-[]"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_dnat_tree_check line=830 msg="len=1"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_dnat_policy line=4994 msg="checking gnum-100000 policy-7"
2025-05-07 13:49:53 id=20085 trace_id=242 func=get_new_addr line=1193 msg="find DNAT: IP-10.81.20.50, port-443"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_dnat_policy line=5077 msg="matched policy-7, act=accept, vip=7, flag=100, sflag=2000020"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000020, vid-7, ret-matched, act-accept, flag-00000100"
2025-05-07 13:49:53 id=20085 trace_id=242 func=fw_pre_route_handler line=181 msg="VIP-10.81.20.50:443, outdev-ExtraIP"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__ip_session_run_tuple line=3522 msg="DNAT 185.216.161.122:443->10.81.20.50:443"
2025-05-07 13:49:53 id=20085 trace_id=242 func=vf_ip_route_input_common line=2615 msg="find a route: flag=00000000 gw-10.81.20.50 via Server Network"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_fwd_check line=765 msg="in-[ExtraIP], out-[Server Network], skb_flags-020000e0, vid-7, app_id: 0, url_cat_id: 0"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=4"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-100004 policy-22, ret-matched, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_user_identity_check line=1777 msg="ret-matched"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check line=2203 msg="gnum-4e20, check-5f023d28"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=1960 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check line=2222 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
2025-05-07 13:49:53 id=20085 trace_id=242 func=__iprope_check_one_policy line=2174 msg="policy-22 is matched, act-accept"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_fwd_check line=806 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-22"
2025-05-07 13:49:53 id=20085 trace_id=242 func=iprope_fwd_auth_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-22"
2025-05-07 13:49:53 id=20085 trace_id=242 func=fw_forward_handler line=803 msg="Allowed by Policy-22:"
2025-05-07 13:49:53 id=20085 trace_id=242 func=ipd_post_route_handler line=490 msg="out Server Network vwl_zone_id 0, state2 0x0, quality 0.
"
2025-05-07 13:49:53 id=20085 trace_id=243 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=6, 10.81.20.50:443->77.63.116.194:7722) from Server Network. flag [S.], seq 2230821619, ack 568359895, win 65535"
2025-05-07 13:49:53 id=20085 trace_id=243 func=resolve_ip_tuple_fast line=5891 msg="Find an existing session, id-0003e5ba, reply direction"
2025-05-07 13:49:53 id=20085 trace_id=243 func=vf_ip_route_input_common line=2615 msg="find a route: flag=04000000 gw-62.45.170.129 via VLAN100"
2025-05-07 13:49:53 id=20085 trace_id=243 func=npu_handle_session44 line=1223 msg="Trying to offloading session from Server Network to VLAN100, skb.npu_flag=00000400 ses.state=00210200 ses.npu_state=0x00040000"
2025-05-07 13:49:53 id=20085 trace_id=243 func=fw_forward_dirty_handler line=397 msg="state=00210200, state2=00000000, npu_state=00040000"
2025-05-07 13:49:53 id=20085 trace_id=243 func=__ip_session_run_tuple line=3508 msg="SNAT 10.81.20.50->185.216.161.122:443"
2025-05-07 13:49:53 id=20085 trace_id=243 func=ipd_post_route_handler line=490 msg="out VLAN100 vwl_zone_id 0, state2 0x0, quality 0.
"
This is what chatgpt says, don't know if it is accurate:
:white_heavy_check_mark: DNAT works:
185.216.161.122:443 → 10.81.20.50:443
:white_heavy_check_mark: SNAT works (return path uses correct public IP):
10.81.20.50 → 77.63.116.194 gets SNAT'ed as 185.216.161.122
:white_heavy_check_mark: Routing works:
FortiGate routes outbound via VLAN100, which is what you intended.
:pushpin: BUT... despite all this, the client never receives the SYN-ACK.
:magnifying_glass_tilted_left: What's wrong?
The packet is being sent twice out from the firewall:
ipd_post_route_handler ... out VLAN100
But the client doesn’t receive the SYN-ACK. Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now I am getting this error:
Spoiler
2025-05-07 14:33:10 id=20085 trace_id=309 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=6, 82.199.64.68:50786->185.216.161.122:443) from ExtraIP. flag [S], seq 1842012866, ack 0, win 64240"
2025-05-07 14:33:10 id=20085 trace_id=309 func=init_ip_session_common line=5981 msg="allocate a new session-00042aaf"
2025-05-07 14:33:10 id=20085 trace_id=309 func=iprope_dnat_check line=5121 msg="in-[ExtraIP], out-[]"
2025-05-07 14:33:10 id=20085 trace_id=309 func=iprope_dnat_tree_check line=830 msg="len=1"
2025-05-07 14:33:10 id=20085 trace_id=309 func=__iprope_check_one_dnat_policy line=4994 msg="checking gnum-100000 policy-7"
2025-05-07 14:33:10 id=20085 trace_id=309 func=get_new_addr line=1193 msg="find DNAT: IP-10.81.20.50, port-0"
2025-05-07 14:33:10 id=20085 trace_id=309 func=__iprope_check_one_dnat_policy line=5077 msg="matched policy-7, act=accept, vip=7, flag=100, sflag=2000020"
2025-05-07 14:33:10 id=20085 trace_id=309 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000020, vid-7, ret-matched, act-accept, flag-00000100"
2025-05-07 14:33:10 id=20085 trace_id=309 func=fw_pre_route_handler line=181 msg="VIP-10.81.20.50:443, outdev-ExtraIP"
2025-05-07 14:33:10 id=20085 trace_id=309 func=__ip_session_run_tuple line=3522 msg="DNAT 185.216.161.122:443->10.81.20.50:443"
2025-05-07 14:33:10 id=20085 trace_id=309 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2025-05-07 14:33:10 id=20085 trace_id=309 func=ip_session_handle_no_dst line=6065 msg="trace"
2025-05-07 14:33:10 id=20085 trace_id=310 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=6, 82.199.64.68:50787->185.216.161.122:443) from ExtraIP. flag [S], seq 406690344, ack 0, win 64240"
2025-05-07 14:33:10 id=20085 trace_id=310 func=init_ip_session_common line=5981 msg="allocate a new session-00042ab1"
2025-05-07 14:33:10 id=20085 trace_id=310 func=iprope_dnat_check line=5121 msg="in-[ExtraIP], out-[]"
2025-05-07 14:33:10 id=20085 trace_id=310 func=iprope_dnat_tree_check line=830 msg="len=1"
2025-05-07 14:33:10 id=20085 trace_id=310 func=__iprope_check_one_dnat_policy line=4994 msg="checking gnum-100000 policy-7"
2025-05-07 14:33:10 id=20085 trace_id=310 func=get_new_addr line=1193 msg="find DNAT: IP-10.81.20.50, port-0"
2025-05-07 14:33:10 id=20085 trace_id=310 func=__iprope_check_one_dnat_policy line=5077 msg="matched policy-7, act=accept, vip=7, flag=100, sflag=2000020"
2025-05-07 14:33:10 id=20085 trace_id=310 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000020, vid-7, ret-matched, act-accept, flag-00000100"
2025-05-07 14:33:10 id=20085 trace_id=310 func=fw_pre_route_handler line=181 msg="VIP-10.81.20.50:443, outdev-ExtraIP"
2025-05-07 14:33:10 id=20085 trace_id=310 func=__ip_session_run_tuple line=3522 msg="DNAT 185.216.161.122:443->10.81.20.50:443"
2025-05-07 14:33:10 id=20085 trace_id=310 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2025-05-07 14:33:10 id=20085 trace_id=310 func=ip_session_handle_no_dst line=6065 msg="trace"
2025-05-07 14:33:10 id=20085 trace_id=309 func=init_ip_session_common line=5981 msg="allocate a new session-00042aaf"
2025-05-07 14:33:10 id=20085 trace_id=309 func=iprope_dnat_check line=5121 msg="in-[ExtraIP], out-[]"
2025-05-07 14:33:10 id=20085 trace_id=309 func=iprope_dnat_tree_check line=830 msg="len=1"
2025-05-07 14:33:10 id=20085 trace_id=309 func=__iprope_check_one_dnat_policy line=4994 msg="checking gnum-100000 policy-7"
2025-05-07 14:33:10 id=20085 trace_id=309 func=get_new_addr line=1193 msg="find DNAT: IP-10.81.20.50, port-0"
2025-05-07 14:33:10 id=20085 trace_id=309 func=__iprope_check_one_dnat_policy line=5077 msg="matched policy-7, act=accept, vip=7, flag=100, sflag=2000020"
2025-05-07 14:33:10 id=20085 trace_id=309 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000020, vid-7, ret-matched, act-accept, flag-00000100"
2025-05-07 14:33:10 id=20085 trace_id=309 func=fw_pre_route_handler line=181 msg="VIP-10.81.20.50:443, outdev-ExtraIP"
2025-05-07 14:33:10 id=20085 trace_id=309 func=__ip_session_run_tuple line=3522 msg="DNAT 185.216.161.122:443->10.81.20.50:443"
2025-05-07 14:33:10 id=20085 trace_id=309 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2025-05-07 14:33:10 id=20085 trace_id=309 func=ip_session_handle_no_dst line=6065 msg="trace"
2025-05-07 14:33:10 id=20085 trace_id=310 func=print_pkt_detail line=5810 msg="vd-root:0 received a packet(proto=6, 82.199.64.68:50787->185.216.161.122:443) from ExtraIP. flag [S], seq 406690344, ack 0, win 64240"
2025-05-07 14:33:10 id=20085 trace_id=310 func=init_ip_session_common line=5981 msg="allocate a new session-00042ab1"
2025-05-07 14:33:10 id=20085 trace_id=310 func=iprope_dnat_check line=5121 msg="in-[ExtraIP], out-[]"
2025-05-07 14:33:10 id=20085 trace_id=310 func=iprope_dnat_tree_check line=830 msg="len=1"
2025-05-07 14:33:10 id=20085 trace_id=310 func=__iprope_check_one_dnat_policy line=4994 msg="checking gnum-100000 policy-7"
2025-05-07 14:33:10 id=20085 trace_id=310 func=get_new_addr line=1193 msg="find DNAT: IP-10.81.20.50, port-0"
2025-05-07 14:33:10 id=20085 trace_id=310 func=__iprope_check_one_dnat_policy line=5077 msg="matched policy-7, act=accept, vip=7, flag=100, sflag=2000020"
2025-05-07 14:33:10 id=20085 trace_id=310 func=iprope_dnat_check line=5134 msg="result: skb_flags-02000020, vid-7, ret-matched, act-accept, flag-00000100"
2025-05-07 14:33:10 id=20085 trace_id=310 func=fw_pre_route_handler line=181 msg="VIP-10.81.20.50:443, outdev-ExtraIP"
2025-05-07 14:33:10 id=20085 trace_id=310 func=__ip_session_run_tuple line=3522 msg="DNAT 185.216.161.122:443->10.81.20.50:443"
2025-05-07 14:33:10 id=20085 trace_id=310 func=ip_route_input_slow line=2264 msg="reverse path check fail, drop"
2025-05-07 14:33:10 id=20085 trace_id=310 func=ip_session_handle_no_dst line=6065 msg="trace"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"reverse path check fail" means there is no route back to the source IP.
That's normal because you don't have a route to client IP through the GRE tunnel.
AEK
AEK
Labels
-
FortiGate
10,510 -
FortiClient
2,135 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
674 -
5.4
638 -
FortiSwitch
578 -
FortiAP
558 -
FortiClient EMS
551 -
6.0
416 -
IPsec
411 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
277 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
168 -
FortiGuard
159 -
5.0
152 -
Firewall policy
141 -
6.4
128 -
FortiGate-VM
126 -
FortiCloud Products
116 -
FortiGateCloud
112 -
FortiSIEM
111 -
FortiToken
110 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
72 -
DNS
71 -
SAML
70 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
FortiSandbox
53 -
fortilink
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
SNMP
25 -
SSID
25 -
Static route
25 -
Traffic shaping
24 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
Users
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2551 | |
| 1356 | |
| 795 | |
| 646 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.