Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Loopback VIP issue on reverse path check fail,...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Loopback VIP issue on reverse path check fail, drop
I did follow the tech doc as below
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-configure-a-VIP-using-a-loopback-i...
but when debug flow, i receive reverse path check fail, drop error when after the DNAT success
FortiGate
1. Loopback IP 192.168.1.254
2. Port 1 (WAN) - 192.168.1.1/28
3. Port 2 (LAN) - 192.168.1.128/28
4. Site to Site VPN (S2S-DC)
Route static
10.1.1.0/24 via port 2
172.16.30.0/24 via S2S-DC
my connection is come from site to site vpn DC 172.16.30.1 --> loopback 192.168.1.254 (DNAT - 10.1.1.1) --> Port 2 --> 10.1.1.1
routing shouldnt be problem but debug flow still receive error reverse path check fail, drop, looking for 192.168.1.254 although is connected.
I perform PCAP on S2S-DC , packet did reach to FW.
PCAP on port 2 no source ip 172.16.30.1 found. the packet been drop in fw and not related to return route
update : i restart router engine still having such issue
Labels:
- Labels:
-
Routing
-
Virtual IP
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LVHan ,
Why is it as follows?
id=65308 trace_id=283 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 192.168.1.128:1->192.168.1.254:2048) tun_id=103.12.67.82 from S2S-DC. type=8, code=0, id=1, seq=5978."
The 192.168.1.128 is with port2, it was from S2S-DC. of course it is "reverse path check fail, drop", because 192.168.1.128 is supposed to be from port2.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config firewall policy
edit 202
set name "Test-123"
set srcintf "S2S-DC"
set dstintf "192.168.1.254"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
Debug flow
id=65308 trace_id=283 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 192.168.1.128:1->192.168.1.254:2048) tun_id=103.12.67.82 from S2S-DC. type=8, code=0, id=1, seq=5978."
id=65308 trace_id=283 func=init_ip_session_common line=6047 msg="allocate a new session-003a75ef"
id=65308 trace_id=283 func=iprope_dnat_check line=5281 msg="in-[S2S-DC], out-[]"
id=65308 trace_id=283 func=iprope_dnat_tree_check line=824 msg="len=1"
id=65308 trace_id=283 func=__iprope_check_one_dnat_policy line=5146 msg="checking gnum-100000 policy-18"
id=65308 trace_id=283 func=get_new_addr line=1213 msg="find DNAT: IP-10.1.1.1, port-0(fixed port)"
id=65308 trace_id=283 func=__iprope_check_one_dnat_policy line=5236 msg="matched policy-18, act=accept, vip=18, flag=104, sflag=2000008"
id=65308 trace_id=283 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000008, vid-18, ret-matched, act-accept, flag-00000104"
id=65308 trace_id=283 func=iprope_fwd_check line=768 msg="in-[S2S-DC], out-[192.168.1.254], skb_flags-02000008, vid-18, app_id: 0, url_cat_id: 0"
id=65308 trace_id=283 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=71, len=12"
id=65308 trace_id=283 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=283 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-202, ret-matched, act-accept"
id=65308 trace_id=283 func=__iprope_user_identity_check line=1807 msg="ret-matched"
id=65308 trace_id=283 func=__iprope_check line=2281 msg="gnum-4e20, check-0000000070604c6e"
id=65308 trace_id=283 func=__iprope_check_one_policy line=2033 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=283 func=__iprope_check_one_policy line=2033 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=283 func=__iprope_check_one_policy line=2033 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=65308 trace_id=283 func=__iprope_check line=2298 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=283 func=get_new_addr line=1213 msg="find SNAT: IP-192.168.1.254(from IPPOOL), port-60418"
id=65308 trace_id=283 func=__iprope_check_one_policy line=2251 msg="policy-202 is matched, act-accept"
id=65308 trace_id=283 func=iprope_fwd_check line=805 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-202"
id=65308 trace_id=283 func=iprope_fwd_auth_check line=824 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-202"
id=65308 trace_id=283 func=fw_pre_route_handler line=184 msg="VIP-10.1.1.1:1, outdev-unknown"
id=65308 trace_id=283 func=__ip_session_run_tuple line=3455 msg="DNAT 192.168.1.254:8->10.1.1.1:1"
id=65308 trace_id=283 func=ip_route_input_slow line=1695 msg="reverse path check fail, drop"
id=65308 trace_id=283 func=ip_session_handle_no_dst line=6133 msg="trace"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is there a reason why you dont just use the real destination IP and prefer to use DNAT using a Loopback?
Anyways, in your phase-2 selectors, you should have the Loopback in there and a firewall rule from the remote IPsec tunnel interface as the source, to port2 as destination and it should work.
Can you also display the output of the command, show firewall vip VIP-10.1.1.1 ?
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reason behind is that some server require to stay on premises and some migrated to AWS, both must remain same IP as some legacy application still hardcode with ip address.
herewith the flow
10.1.1.2 --> FW (policy route) SNAT(192.168.1.128/28) DNAT(192.168.240/28) --> S2S-DC --> AWS FW (DNAT 10.1.1.1) --> AWS Security Policy (Not my control) --> 10.1.1.1
because AWS security policy not within my control, and the default route is toward my AWS FW. to make it simple by perform DNAT at on premises fw. perhaps I should remove the DNAT at on-prem FW
edit "VIP-10.1.1.1"
set extip 192.168.1.254
set mappedip "10.1.1.1"
set extintf "any"
next
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doing this with a loopback is rather pointless, I would say. The loopback interface never actually receives nor transmits any traffic. It's just abstraction. Why bother?
Why not simply do a VIP for the actual interfaces involved?
extintf = <incoming intf of packet sent from client> or ANY
extip = dstip used by client
mappedip = IP of the real destination server
+optional port mapping
firewall policy:
srcintf = real ingress interface
dstintf = real egress interface
srcaddr = <anything that matches the client's IP>
dstaddr = <VIP object>
service = <anything that matches post-DNAT port&protocol)
[ corrections always welcome ]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Agree, the loopback int was tried to fix the routing issue but seem doesnt work.
DNAT 192.168.1.254:8->10.1.1.1:1
reverse path check fail, drop
trace
the route find not sure is related to 192.168.1.254 or 10.1.1.1
I don think is 10.1.1.1 as on cloud application is working , could be related to 192.168.1.254 which hit to default route.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LVHan ,
Please provide the full outputs of the debug flow commands. You can mask sensitive info, but, please, provide the full outputs.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @LVHan ,
Sorry, it seems that you provided the full outputs. I missed it.
Could you please provide the outputs of the following?
get router info routing-table all
You may just show entries with 192.168.1.128 and 192.168.1.254.
Regards,
Jerry
Jerry
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
myself declare bug AWS FG, i retain the bug ipsec profile and create a new one.
the route appear in kernel
https://docs.fortinet.com/document/fortigate/7.6.1/administration-guide/426761/site-to-site-vpn-with...
I tried this approach the return traffic reach to AWS FW and route to correct tunnel interface but AWS FW doesnt perform encap or any action, the tunnel transmit statistic remain unchange.
So buggy for AWS FG 7.2.10
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,717 -
FortiClient
1,766 -
5.2
801 -
FortiManager
730 -
5.4
639 -
FortiAnalyzer
559 -
FortiSwitch
475 -
FortiAP
473 -
FortiClient EMS
435 -
6.0
416 -
5.6
362 -
FortiMail
318 -
6.2
251 -
SSL-VPN
246 -
FortiAuthenticator v5.5
234 -
IPsec
210 -
FortiWeb
205 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
115 -
FortiAuthenticator
104 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
83 -
Customer Service
79 -
Wireless Controller
79 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
51 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
43 -
FortiDNS
42 -
LDAP
41 -
BGP
40 -
Authentication
38 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
VDOM
30 -
FortiConnect
29 -
FortiLink
29 -
FortiWAN
27 -
Web profile
27 -
Application control
26 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiGate-VM
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
Proxy policy
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1714 | |
| 1093 | |
| 752 | |
| 447 | |
| 232 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.