Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec client is blocked by implicit deny although ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec client is blocked by implicit deny although allow rule exists
Hello,
I created the following rule to allow an IPSec client network aka EMS_IKEv1_F_NB [198.18.27.0/24] to access Intranet aka TRK3 [192.168.0.0/16]. Nevertheless the clients is blocked by the implicit deny rule.
When I try to check the policy using the Policy Match Tool while the client is connected it returns "No route exists from source address 198.18.27.2".
But get router info routing-table details shows
S 198.18.27.2/32 [15/0] via EMS_IKEv1_F_NB tunnel 198.18.27.2, [1/0]
while the client is connected.
FGRO01 (vdom) # edit root
current vf=root:0
CFGRO01 (root) # config firewall policy
CFGRO01 (policy) # edit "32"
CFGRO01 (32) # show
config firewall policy
edit 32
set name "Allow-in-EMS"
set uuid d90bd78a-fe42-51ee-5614-00952a1efac4
set srcintf "EMS_IKEv1_F_NB"
set dstintf "TRK3"
set action accept
set srcaddr "IKEv1_Range"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Labels:
- Labels:
-
FortiClient
-
FortiGate
-
IPsec
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin
Please collect the debug flow logs while pinging from the client to your internal server.
diag debug flow filter clear
diag debug flow filter addr <client-IP>
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
AEK
AEK
Created on 04-19-2024 06:15 AM Edited on 04-19-2024 06:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @AEK
thank You for Your quick reply.
The orange line show traffic to the intranet DNS server 192.168.3.41. But it is blocked by implicit deny. Port 10 is the WAN port.
Here is the output of:
diag debug flow filter clear
diag debug flow filter addr 198.18.27.2
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
CFGRO01 (root) # id=65308 trace_id=51 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56766->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=51 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf5e"
id=65308 trace_id=51 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=51 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=51 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=51 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=51 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=51 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=51 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=51 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=51 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=51 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=51 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=51 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=51 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=51 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=51 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=51 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=52 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56766) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf5e, reply direction"
id=65308 trace_id=52 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=52 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=52 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=52 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=52 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=52 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=52 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=52 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=52 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=52 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=52 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=53 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=53 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf5f"
id=65308 trace_id=53 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=53 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=53 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=53 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=54 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=54 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf60"
id=65308 trace_id=54 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=54 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=54 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=54 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=55 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=55 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf61"
id=65308 trace_id=55 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=55 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=55 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=55 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=56 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:65129->224.0.0.252:5355) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=56 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf62"
id=65308 trace_id=56 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=56 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=56 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=56 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=57 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=57 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf65"
id=65308 trace_id=57 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=57 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=57 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=57 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=58 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=58 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6b"
id=65308 trace_id=58 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=58 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=58 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=58 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=58 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=58 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=58 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=58 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=58 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=58 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=58 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=58 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=58 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=58 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=58 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=58 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=59 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=59 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=59 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=59 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=59 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=59 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=59 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=59 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=59 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=59 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=59 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=59 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=59 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=60 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:49391->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=60 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6d"
id=65308 trace_id=60 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=60 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=60 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=60 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=60 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=60 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=60 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=60 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=60 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=60 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=60 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=60 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=60 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=60 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=60 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=60 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=61 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:49391) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=61 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, reply direction"
id=65308 trace_id=61 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=61 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=61 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=61 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=61 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=61 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=61 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=61 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=61 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=62 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56481->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=62 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6e"
id=65308 trace_id=62 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=62 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=62 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=62 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=62 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=62 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=62 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=62 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=62 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=62 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=62 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=62 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=62 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=62 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=62 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=62 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=63 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56481) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=63 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, reply direction"
id=65308 trace_id=63 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=63 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=63 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=63 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=63 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=63 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=63 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=63 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=63 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=64 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=64 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, original direction"
id=65308 trace_id=64 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=64 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=64 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=65 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=65 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=65 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=65 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=65 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=65 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=65 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=65 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=65 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=65 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=66 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=66 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, original direction"
id=65308 trace_id=66 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=66 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=66 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=67 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=67 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=67 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=67 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=67 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=67 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=67 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=67 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=67 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=68 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=68 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf70"
id=65308 trace_id=68 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=68 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=68 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=68 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=68 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=68 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=68 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=68 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=68 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=68 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=69 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:49391->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=69 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, original direction"
id=65308 trace_id=69 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=69 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=69 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=70 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:49391) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=70 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, reply direction"
id=65308 trace_id=70 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=70 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=70 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=70 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=70 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=70 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=70 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=70 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=70 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=70 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=70 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=70 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=71 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56481->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=71 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, original direction"
id=65308 trace_id=71 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=71 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=71 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=72 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56481) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=72 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, reply direction"
id=65308 trace_id=72 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=72 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=72 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=72 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=72 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=72 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=72 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=72 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=72 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=72 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=73 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=73 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf8c"
id=65308 trace_id=73 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=73 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=73 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=73 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=74 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=74 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf8f"
id=65308 trace_id=74 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=74 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=74 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=74 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=75 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=75 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf90"
id=65308 trace_id=75 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=75 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=75 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=75 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=76 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=76 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf91"
id=65308 trace_id=76 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=76 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=76 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=76 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=77 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=77 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf92"
id=65308 trace_id=77 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=77 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=77 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=77 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=78 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=78 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf93"
id=65308 trace_id=78 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=78 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=78 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=78 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=79 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=79 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf94"
id=65308 trace_id=79 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=79 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=79 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=79 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=80 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=80 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf95"
id=65308 trace_id=80 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=80 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=80 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=80 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=81 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=81 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf96"
id=65308 trace_id=81 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=81 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=81 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=81 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=82 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=82 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf97"
id=65308 trace_id=82 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=82 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=82 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=82 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=83 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=83 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf9b"
id=65308 trace_id=83 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=83 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=83 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=83 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=83 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=83 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=83 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=83 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=84 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=84 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf9d"
id=65308 trace_id=84 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=84 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=84 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=84 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=85 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:50319->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=85 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfa5"
id=65308 trace_id=85 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=85 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=85 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=85 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=85 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=85 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=85 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=85 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=85 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=85 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=85 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=85 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=85 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=85 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=85 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=85 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=86 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:50319) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=86 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, reply direction"
id=65308 trace_id=86 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=86 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=86 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=86 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=86 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=86 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=86 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=86 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=86 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=86 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=86 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=87 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=87 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb5"
id=65308 trace_id=87 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=87 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=87 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=87 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=88 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=88 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb6"
id=65308 trace_id=88 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=88 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=88 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=88 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=89 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:50319->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=90 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=89 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, original direction"
id=65308 trace_id=90 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb9"
id=65308 trace_id=90 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=89 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=90 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=89 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=90 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=89 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=90 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=91 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=91 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfba"
id=65308 trace_id=91 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=91 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=91 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=91 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=92 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:50319) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=92 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, reply direction"
id=65308 trace_id=92 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=92 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=92 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=92 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=92 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=92 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=92 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=92 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=93 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=93 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbc"
id=65308 trace_id=93 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=93 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=93 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=93 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=94 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=94 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbd"
id=65308 trace_id=94 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=94 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=94 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=94 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=95 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=95 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbe"
id=65308 trace_id=95 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=95 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=95 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=95 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=96 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=96 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbf"
id=65308 trace_id=96 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=96 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=96 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=96 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=97 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:51322->224.0.0.252:5355) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=97 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc0"
id=65308 trace_id=97 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=97 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=97 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=97 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=98 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=98 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc1"
id=65308 trace_id=98 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=98 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=98 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=98 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=99 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=99 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc2"
id=65308 trace_id=99 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=99 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=99 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=99 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=100 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=100 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc7"
id=65308 trace_id=100 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=100 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=100 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=100 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=100 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=100 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=100 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=100 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=100 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=100 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Martin,
The DNS traffic from 198.18.27.2:56766->192.168.3.41:53 is allowed by firewall policy:
30 and in the deugs we see reply packet from the DNS server too.
received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56766) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf5e, reply direction"
id=65308 trace_id=52 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
The deny traffic is for traffic from 198.18.27.2:57807->456.456.456.456:80.
Created on 04-19-2024 06:55 AM Edited on 04-19-2024 07:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello@sakuraju ,
that is right. because 456.456.456.456 is an external destination which is not allowed in that rule.
But the response DNS response does not arrive at the client.
Although I see
id=65308 trace_id=59 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0" the packets do no arrive at the client.
I don´t understand why it opens up a new session with
id=65308 trace_id=60 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6d"
id=65308 trace_id=60 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
although earlier it said:
id=65308 trace_id=59 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the return packet is being dropped. See "act-drop".
id=65308 trace_id=52 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
Although it found an existing session and it said "Find an existing session, id-0054cf5e, reply direction".
Can you post a screenshot of the related policy (id 30)?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin
- Do you have any other IPsec client that is working with the same policy? Or all have the same issue?
- Do you have any DoS policy?
- Any policy route for TRK3 or the IPsec tunnel?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @AEK ,
we have no other client working with policy.
No, we have no DoS policy,
No, we have no other policies for traffic from 198.18.27.0/24
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any VIP or IP pool in the same subnet as the IPsec client?
AEK
AEK
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- App Control Blocking access to a... 96 Views
- Chrome Extension for VPN blocked by... 106 Views
- fortigate 7.0.16 block all public ip... 175 Views
- Local-in-policy deploys once from FortiManager and... 93 Views
- Fortigate not showing Deny logs 620 Views
Labels
-
FortiGate
8,503 -
FortiClient
1,722 -
5.2
801 -
FortiManager
715 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
Fortivoice
53 -
FortiADC
53 -
High Availability
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiPortal
19 -
SSL SSH inspection
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1662 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.