Hello,
I created the following rule to allow an IPSec client network aka EMS_IKEv1_F_NB [198.18.27.0/24] to access Intranet aka TRK3 [192.168.0.0/16]. Nevertheless the clients is blocked by the implicit deny rule.
When I try to check the policy using the Policy Match Tool while the client is connected it returns "No route exists from source address 198.18.27.2".
But get router info routing-table details shows
S 198.18.27.2/32 [15/0] via EMS_IKEv1_F_NB tunnel 198.18.27.2, [1/0]
while the client is connected.
FGRO01 (vdom) # edit root
current vf=root:0
CFGRO01 (root) # config firewall policy
CFGRO01 (policy) # edit "32"
CFGRO01 (32) # show
config firewall policy
edit 32
set name "Allow-in-EMS"
set uuid d90bd78a-fe42-51ee-5614-00952a1efac4
set srcintf "EMS_IKEv1_F_NB"
set dstintf "TRK3"
set action accept
set srcaddr "IKEv1_Range"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
best regards
Martin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Martin
Please collect the debug flow logs while pinging from the client to your internal server.
diag debug flow filter clear
diag debug flow filter addr <client-IP>
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
Created on 04-19-2024 06:15 AM Edited on 04-19-2024 06:24 AM
Hello @AEK
thank You for Your quick reply.
The orange line show traffic to the intranet DNS server 192.168.3.41. But it is blocked by implicit deny. Port 10 is the WAN port.
Here is the output of:
diag debug flow filter clear
diag debug flow filter addr 198.18.27.2
diag debug flow show function-name enable
diag debug flow show iprope enable
diag debug flow trace start 50
diag debug enable
CFGRO01 (root) # id=65308 trace_id=51 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56766->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=51 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf5e"
id=65308 trace_id=51 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=51 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=51 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=51 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=51 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=51 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=51 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=51 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=51 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=51 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=51 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=51 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=51 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=51 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=51 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=51 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=51 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=52 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56766) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf5e, reply direction"
id=65308 trace_id=52 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=52 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=52 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=52 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=52 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=52 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=52 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=52 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=52 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=52 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=52 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=53 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=53 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf5f"
id=65308 trace_id=53 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=53 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=53 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=53 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=54 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=54 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf60"
id=65308 trace_id=54 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=54 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=54 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=54 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=55 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=55 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf61"
id=65308 trace_id=55 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=55 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=55 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=55 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=56 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:65129->224.0.0.252:5355) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=56 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf62"
id=65308 trace_id=56 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=56 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=56 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=56 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=57 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=57 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf65"
id=65308 trace_id=57 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=57 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=57 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=57 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=58 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=58 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6b"
id=65308 trace_id=58 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=58 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=58 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=58 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=58 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=58 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=58 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=58 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=58 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=58 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=58 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=58 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=58 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=58 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=58 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=58 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=58 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=59 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=59 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=59 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=59 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=59 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=59 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=59 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=59 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=59 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=59 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=59 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=59 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=59 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=60 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:49391->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=60 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6d"
id=65308 trace_id=60 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=60 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=60 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=60 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=60 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=60 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=60 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=60 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=60 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=60 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=60 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=60 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=60 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=60 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=60 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=60 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=60 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=61 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:49391) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=61 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, reply direction"
id=65308 trace_id=61 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=61 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=61 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=61 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=61 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=61 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=61 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=61 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=61 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=62 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56481->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=62 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6e"
id=65308 trace_id=62 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=62 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=62 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=62 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=62 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=62 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=62 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=62 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=62 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=62 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=62 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=62 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=62 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=62 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=62 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=62 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=62 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=63 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56481) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=63 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, reply direction"
id=65308 trace_id=63 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=63 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=63 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=63 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=63 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=63 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=63 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=63 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=63 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=64 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=64 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, original direction"
id=65308 trace_id=64 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=64 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=64 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=65 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=65 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=65 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=65 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=65 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=65 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=65 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=65 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=65 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=65 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=66 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:58520->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=66 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, original direction"
id=65308 trace_id=66 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=66 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=66 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=67 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:58520) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=67 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
id=65308 trace_id=67 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=67 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=67 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=67 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=67 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=67 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=67 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=67 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=67 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=68 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=68 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf70"
id=65308 trace_id=68 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=68 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=68 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=68 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=68 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=68 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=68 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=68 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=68 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=68 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=68 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=69 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:49391->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=69 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, original direction"
id=65308 trace_id=69 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=69 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=69 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=70 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:49391) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=70 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6d, reply direction"
id=65308 trace_id=70 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=70 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=70 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=70 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=70 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=70 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=70 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=70 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=70 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=70 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=70 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=70 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=71 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:56481->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=71 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, original direction"
id=65308 trace_id=71 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=71 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=71 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=72 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56481) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=72 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6e, reply direction"
id=65308 trace_id=72 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=72 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000003, npu_state=02140000"
id=65308 trace_id=72 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=72 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=72 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=72 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=72 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=72 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=72 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=72 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=73 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=73 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf8c"
id=65308 trace_id=73 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=73 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=73 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=73 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=74 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=74 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf8f"
id=65308 trace_id=74 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=74 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=74 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=74 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=75 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=75 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf90"
id=65308 trace_id=75 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=75 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=75 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=75 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=76 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=76 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf91"
id=65308 trace_id=76 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=76 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=76 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=76 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=77 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=77 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf92"
id=65308 trace_id=77 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=77 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=77 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=77 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=78 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=78 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf93"
id=65308 trace_id=78 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=78 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=78 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=78 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=79 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=79 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf94"
id=65308 trace_id=79 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=79 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=79 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=79 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=80 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=80 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf95"
id=65308 trace_id=80 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=80 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=80 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=80 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=81 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=81 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf96"
id=65308 trace_id=81 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=81 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=81 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=81 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=82 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=82 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf97"
id=65308 trace_id=82 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=82 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=82 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=82 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=83 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=83 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf9b"
id=65308 trace_id=83 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=83 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=83 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=83 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=83 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=83 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=83 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=83 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
id=65308 trace_id=84 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=84 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf9d"
id=65308 trace_id=84 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=84 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=84 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=84 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=85 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:50319->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=85 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfa5"
id=65308 trace_id=85 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=85 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=85 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=85 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-192.168.3.41 via TRK3"
id=65308 trace_id=85 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=85 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=7, len=10"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-matched, act-accept"
id=65308 trace_id=85 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=85 func=__iprope_check line=2388 msg="gnum-4e20, check-ffffffffa002fbf0"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check line=2405 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2358 msg="policy-30 is matched, act-accept"
id=65308 trace_id=85 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=85 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-30"
id=65308 trace_id=85 func=iprope_reverse_dnat_check line=1337 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=85 func=iprope_reverse_dnat_tree_check line=926 msg="len=0"
id=65308 trace_id=85 func=iprope_central_nat_check line=1360 msg="in-[EMS_IKEv1_F_NB], out-[TRK3], skb_flags-02000008, vid-0"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-1, ret-no-match, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2124 msg="checked gnum-10000d policy-0, ret-matched, act-accept"
id=65308 trace_id=85 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-accept"
id=65308 trace_id=85 func=fw_snat_check line=679 msg="NAT disabled by central SNAT policy!"
id=65308 trace_id=85 func=fw_forward_handler line=985 msg="Allowed by Policy-30:"
id=65308 trace_id=85 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=86 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:50319) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=86 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, reply direction"
id=65308 trace_id=86 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
id=65308 trace_id=86 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x02040000"
id=65308 trace_id=86 func=fw_forward_dirty_handler line=447 msg="state=00000204, state2=00000001, npu_state=02040000"
id=65308 trace_id=86 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=86 func=__iprope_check line=2388 msg="gnum-100008, check-ffffffffa002f9b0"
id=65308 trace_id=86 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=86 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=86 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=86 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=86 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=86 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=87 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=87 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb5"
id=65308 trace_id=87 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=87 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=87 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=87 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=88 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=88 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb6"
id=65308 trace_id=88 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=88 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=88 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=88 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=89 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:50319->192.168.3.41:53) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=90 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=89 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, original direction"
id=65308 trace_id=90 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfb9"
id=65308 trace_id=90 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=89 func=npu_handle_session44 line=1213 msg="Trying to offloading session from EMS_IKEv1_F_NB to TRK3, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x02040000"
id=65308 trace_id=90 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=89 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=90 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=89 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=original)"
id=65308 trace_id=90 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=91 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=2, 198.18.27.2:0->224.0.0.22:0) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=91 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfba"
id=65308 trace_id=91 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=91 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=91 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=91 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=92 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 192.168.3.41:53->198.18.27.2:50319) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=92 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cfa5, reply direction"
id=65308 trace_id=92 func=npu_handle_session44 line=1213 msg="Trying to offloading session from TRK3 to EMS_IKEv1_F_NB, skb.npu_flag=00000400 ses.state=00030204 ses.npu_state=0x02140000"
id=65308 trace_id=92 func=fw_forward_dirty_handler line=447 msg="state=00030204, state2=00000001, npu_state=02140000"
id=65308 trace_id=92 func=ip_session_core_in line=6519 msg="dir-1, tun_id=198.18.27.2"
id=65308 trace_id=92 func=__ip_session_run_tuple line=3465 msg="run helper-dns-udp(dir=reply)"
id=65308 trace_id=92 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface EMS_IKEv1_F_NB, tun_id=198.18.27.2"
id=65308 trace_id=92 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0"
id=65308 trace_id=92 func=esp_output4 line=875 msg="IPsec encrypt/auth"
id=65308 trace_id=92 func=ipsec_output_finish line=658 msg="send to 123.123.123.123 via intf-port10"
id=65308 trace_id=93 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=93 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbc"
id=65308 trace_id=93 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=93 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=93 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=93 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=94 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=94 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbd"
id=65308 trace_id=94 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=94 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=94 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=94 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=95 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=95 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbe"
id=65308 trace_id=95 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=95 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=95 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=95 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=96 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=96 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfbf"
id=65308 trace_id=96 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=96 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=96 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=96 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=97 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:51322->224.0.0.252:5355) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=97 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc0"
id=65308 trace_id=97 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=97 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=97 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=97 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=98 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=98 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc1"
id=65308 trace_id=98 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=98 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=98 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=98 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=99 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=17, 198.18.27.2:5353->224.0.0.251:5353) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. "
id=65308 trace_id=99 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc2"
id=65308 trace_id=99 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=99 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=99 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=99 func=ip_session_handle_no_dst line=6106 msg="trace"
id=65308 trace_id=100 func=print_pkt_detail line=5836 msg="vd-root:0 received a packet(proto=6, 198.18.27.2:57807->456.456.456.456:80) tun_id=198.18.27.2 from EMS_IKEv1_F_NB. flag [S], seq 3529555738, ack 0, win 64240"
id=65308 trace_id=100 func=init_ip_session_common line=6020 msg="allocate a new session-0054cfc7"
id=65308 trace_id=100 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
id=65308 trace_id=100 func=iprope_dnat_tree_check line=834 msg="len=0"
id=65308 trace_id=100 func=iprope_dnat_check line=5487 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=100 func=vf_ip_route_input_common line=2612 msg="find a route: flag=00000000 gw-123.123.123.123 via port10"
id=65308 trace_id=100 func=__iprope_fwd_check line=801 msg="in-[EMS_IKEv1_F_NB], out-[port10], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=100 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=104, len=4"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-31, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-30, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-20, ret-no-match, act-accept"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2124 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=100 func=__iprope_user_identity_check line=1887 msg="ret-matched"
id=65308 trace_id=100 func=__iprope_check_one_policy line=2358 msg="policy-0 is matched, act-drop"
id=65308 trace_id=100 func=__iprope_fwd_check line=838 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=100 func=iprope_fwd_auth_check line=867 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=100 func=fw_forward_handler line=828 msg="Denied by forward policy check (policy 0)"
best regards
Martin
Hello Martin,
The DNS traffic from 198.18.27.2:56766->192.168.3.41:53 is allowed by firewall policy:
30 and in the deugs we see reply packet from the DNS server too.
received a packet(proto=17, 192.168.3.41:53->198.18.27.2:56766) tun_id=0.0.0.0 from TRK3. "
id=65308 trace_id=52 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf5e, reply direction"
id=65308 trace_id=52 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-198.18.27.2 via EMS_IKEv1_F_NB"
The deny traffic is for traffic from 198.18.27.2:57807->456.456.456.456:80.
Created on 04-19-2024 06:55 AM Edited on 04-19-2024 07:02 AM
Hello@sakuraju ,
that is right. because 456.456.456.456 is an external destination which is not allowed in that rule.
But the response DNS response does not arrive at the client.
Although I see
id=65308 trace_id=59 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel EMS_IKEv1_F_NB_0, tun_id=198.18.27.2, vrf 0" the packets do no arrive at the client.
I don´t understand why it opens up a new session with
id=65308 trace_id=60 func=init_ip_session_common line=6020 msg="allocate a new session-0054cf6d"
id=65308 trace_id=60 func=iprope_dnat_check line=5466 msg="in-[EMS_IKEv1_F_NB], out-[]"
although earlier it said:
id=65308 trace_id=59 func=resolve_ip_tuple_fast line=5924 msg="Find an existing session, id-0054cf6b, reply direction"
best regards
Martin
I think the return packet is being dropped. See "act-drop".
id=65308 trace_id=52 func=iprope_policy_group_check line=4884 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
Although it found an existing session and it said "Find an existing session, id-0054cf5e, reply direction".
Can you post a screenshot of the related policy (id 30)?
Hi Martin
Hello @AEK ,
we have no other client working with policy.
No, we have no DoS policy,
No, we have no other policies for traffic from 198.18.27.0/24
best regards
Martin
Do you have any VIP or IP pool in the same subnet as the IPsec client?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.