- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec client is blocked by implicit deny although ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec client is blocked by implicit deny although allow rule exists
Hello,
I created the following rule to allow an IPSec client network aka EMS_IKEv1_F_NB [198.18.27.0/24] to access Intranet aka TRK3 [192.168.0.0/16]. Nevertheless the clients is blocked by the implicit deny rule.
When I try to check the policy using the Policy Match Tool while the client is connected it returns "No route exists from source address 198.18.27.2".
But get router info routing-table details shows
S 198.18.27.2/32 [15/0] via EMS_IKEv1_F_NB tunnel 198.18.27.2, [1/0]
while the client is connected.
FGRO01 (vdom) # edit root
current vf=root:0
CFGRO01 (root) # config firewall policy
CFGRO01 (policy) # edit "32"
CFGRO01 (32) # show
config firewall policy
edit 32
set name "Allow-in-EMS"
set uuid d90bd78a-fe42-51ee-5614-00952a1efac4
set srcintf "EMS_IKEv1_F_NB"
set dstintf "TRK3"
set action accept
set srcaddr "IKEv1_Range"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Labels:
- Labels:
-
FortiClient
-
FortiGate
-
IPsec
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin
Please collect the debug flow logs while pinging from the client to your internal server.
diag debug flow filter clear
diag debug flow filter addr <client-IP>
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
AEK
AEK
Created on 04-19-2024 06:15 AM Edited on 04-19-2024 06:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @AEK
thank You for Your quick reply.
The orange line show traffic to the intranet DNS server 192.168.3.41. But it is blocked by implicit deny. Port 10 is the WAN port.
Here is the output of:
diag debug flow filter clear
diag debug flow filter addr 198.18.27.2
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
CFGRO01 (root) # id=65308 trace_id=51 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56766->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=51 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf5e"
id=65308 trace_id=51 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=51 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=51 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=51 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=51 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=51 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=51 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=51 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=51 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=51 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=51 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=51 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=51 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=51 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=51 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=51 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=52 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56766) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf5e, reply direction"
id=65308 trace_id=52 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=52 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=52 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=52 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=52 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=52 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=52 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=52 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=52 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=52 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=52 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=53 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=53 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf5f"
id=65308 trace_id=53 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=53 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=53 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=53 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=54 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=54 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf60"
id=65308 trace_id=54 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=54 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=54 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=54 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=55 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=55 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf61"
id=65308 trace_id=55 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=55 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=55 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=55 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=56 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:65129->224.0.0.252:5355) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=56 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf62"
id=65308 trace_id=56 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=56 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=56 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=56 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=57 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=57 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf65"
id=65308 trace_id=57 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=57 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=57 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=57 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=58 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=58 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6b"
id=65308 trace_id=58 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=58 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=58 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=58 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=58 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=58 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=58 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=58 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=58 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=58 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=58 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=58 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=58 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=58 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=58 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=58 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=59 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=59 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=59 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=59 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=59 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=59 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=59 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=59 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=59 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=59 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=59 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=59 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=59 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=60 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:49391->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=60 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6d"
id=65308 trace_id=60 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=60 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=60 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=60 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=60 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=60 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=60 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=60 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=60 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=60 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=60 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=60 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=60 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=60 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=60 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=60 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=61 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:49391) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=61 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, reply direction"
id=65308 trace_id=61 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=61 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=61 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=61 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=61 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=61 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=61 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=61 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=61 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=62 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56481->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=62 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6e"
id=65308 trace_id=62 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=62 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=62 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=62 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=62 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=62 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=62 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=62 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=62 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=62 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=62 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=62 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=62 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=62 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=62 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=62 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=63 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56481) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=63 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, reply direction"
id=65308 trace_id=63 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=63 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=63 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=63 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=63 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=63 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=63 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=63 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=63 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=64 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=64 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, original direction"
id=65308 trace_id=64 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=64 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=64 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=65 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=65 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=65 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=65 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=65 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=65 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=65 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=65 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=65 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=65 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=66 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=66 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, original direction"
id=65308 trace_id=66 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=66 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=66 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=67 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=67 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=67 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=67 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=67 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=67 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=67 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=67 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=67 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=68 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=68 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf70"
id=65308 trace_id=68 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=68 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=68 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=68 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=68 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=68 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=68 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=68 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=68 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=68 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=69 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:49391->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=69 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, original direction"
id=65308 trace_id=69 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=69 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=69 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=70 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:49391) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=70 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, reply direction"
id=65308 trace_id=70 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=70 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=70 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=70 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=70 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=70 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=70 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=70 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=70 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=70 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=70 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=70 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=71 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56481->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=71 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, original direction"
id=65308 trace_id=71 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=71 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=71 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=72 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56481) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=72 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, reply direction"
id=65308 trace_id=72 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=72 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=72 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=72 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=72 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=72 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=72 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=72 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=72 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=72 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=73 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=73 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf8c"
id=65308 trace_id=73 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=73 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=73 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=73 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=74 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=74 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf8f"
id=65308 trace_id=74 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=74 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=74 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=74 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=75 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=75 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf90"
id=65308 trace_id=75 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=75 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=75 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=75 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=76 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=76 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf91"
id=65308 trace_id=76 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=76 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=76 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=76 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=77 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=77 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf92"
id=65308 trace_id=77 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=77 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=77 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=77 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=78 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=78 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf93"
id=65308 trace_id=78 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=78 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=78 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=78 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=79 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=79 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf94"
id=65308 trace_id=79 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=79 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=79 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=79 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=80 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=80 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf95"
id=65308 trace_id=80 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=80 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=80 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=80 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=81 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=81 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf96"
id=65308 trace_id=81 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=81 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=81 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=81 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=82 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=82 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf97"
id=65308 trace_id=82 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=82 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=82 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=82 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=83 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=83 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf9b"
id=65308 trace_id=83 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=83 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=83 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=83 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=83 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=83 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=83 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=83 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=84 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=84 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf9d"
id=65308 trace_id=84 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=84 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=84 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=84 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=85 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:50319->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=85 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfa5"
id=65308 trace_id=85 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=85 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=85 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=85 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=85 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=85 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=85 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=85 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=85 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=85 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=85 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=85 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=85 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=85 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=85 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=85 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=86 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:50319) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=86 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, reply direction"
id=65308 trace_id=86 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=86 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=86 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=86 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=86 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=86 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=86 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=86 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=86 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=86 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=86 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=87 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=87 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb5"
id=65308 trace_id=87 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=87 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=87 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=87 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=88 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=88 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb6"
id=65308 trace_id=88 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=88 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=88 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=88 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=89 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:50319->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=90 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=89 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, original direction"
id=65308 trace_id=90 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb9"
id=65308 trace_id=90 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=89 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=90 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=89 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=90 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=89 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=90 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=91 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=91 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfba"
id=65308 trace_id=91 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=91 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=91 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=91 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=92 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:50319) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=92 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, reply direction"
id=65308 trace_id=92 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=92 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=92 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=92 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=92 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=92 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=92 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=92 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=93 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=93 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbc"
id=65308 trace_id=93 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=93 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=93 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=93 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=94 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=94 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbd"
id=65308 trace_id=94 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=94 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=94 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=94 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=95 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=95 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbe"
id=65308 trace_id=95 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=95 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=95 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=95 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=96 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=96 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbf"
id=65308 trace_id=96 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=96 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=96 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=96 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=97 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:51322->224.0.0.252:5355) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=97 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc0"
id=65308 trace_id=97 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=97 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=97 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=97 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=98 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=98 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc1"
id=65308 trace_id=98 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=98 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=98 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=98 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=99 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=99 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc2"
id=65308 trace_id=99 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=99 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=99 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=99 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=100 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=100 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc7"
id=65308 trace_id=100 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=100 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=100 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=100 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=100 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=100 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=100 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=100 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=100 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=100 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Martin,
The DNS traffic from 198.18.27.2:56766->192.168.3.41:53 is allowed by firewall policy:
30 and in the deugs we see reply packet from the DNS server too.
received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56766) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf5e, reply direction"
id=65308 trace_id=52 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
The deny traffic is for traffic from 198.18.27.2:57807->456.456.456.456:80.
Created on 04-19-2024 06:55 AM Edited on 04-19-2024 07:02 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello@sakuraju ,
that is right. because 456.456.456.456 is an external destination which is not allowed in that rule.
But the response DNS response does not arrive at the client.
Although I see
id=65308 trace_id=59 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0" the packets do no arrive at the client.
I don´t understand why it opens up a new session with
id=65308 trace_id=60 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6d"
id=65308 trace_id=60 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
although earlier it said:
id=65308 trace_id=59 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the return packet is being dropped. See "act-drop".
id=65308 trace_id=52 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
Although it found an existing session and it said "Find an existing session, id-0054cf5e, reply direction".
Can you post a screenshot of the related policy (id 30)?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin
- Do you have any other IPsec client that is working with the same policy? Or all have the same issue?
- Do you have any DoS policy?
- Any policy route for TRK3 or the IPsec tunnel?
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @AEK ,
we have no other client working with policy.
No, we have no DoS policy,
No, we have no other policies for traffic from 198.18.27.0/24
best regards
Martin
best regards
Martin
Martin
best regardsMartin
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have any VIP or IP pool in the same subnet as the IPsec client?
AEK
AEK
Related Posts
- Application Control and Web filter is... 199 Views
- Fortigate 100D - URL clicks in... 73 Views
- how to block a mail with... 87 Views
- SD-WAN and none interface 172 Views
- fortianalyser bug with old logging 106 Views
Labels
-
FortiGate
6,588 -
FortiClient
1,313 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
SNMP
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.