Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
faizneer
New Contributor

ONE DNAT NOT WORKING , ALTHOUGHT OTHER DNAT IS WORKING ON FORTIGATE

Untitled.png

- ONE DEFAULT ROUTE FOR INTERNET WORKING ...

- 2 POLICY BASED ROUTES FOR EACH VM , ONE FOR FORWARD ONR FOR BACKWARD ...

- 1 POLICY FOR LAN TO WAN FOR INTERNET

 

- 2 POLICIES FOR EACH VM , ONE FOR FORWARD AND SECOND FOR BACKWARD

- VIP IS USED FOR EACH VM

 

- ONE SERVER IS SIP SERVER , WHICH IS WORKING FINE , INGOING AND OUTGOING 

 

- ONE SERVER IS WEB SERVER , WHICH IS NOT ACCESSIBLE VIA VIP 

 

WHAT COULD BE THE REASONS ? I CAN GIVE MORE DETAIL IF ASK 

11 REPLIES 11
hbac
Staff
Staff

Hi @faizneer,

 

We need to run debug flow to see how the traffic flow. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Below is an example of debug flow filter: 

di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 172.16.102.20         <<<   Source IP address
di deb flow filter port 23        <<<   Port number if applicable. If not, remove this line. 
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable

 

Regards, 

 

Toshi_Esumi

In addition to the debug log above @hbac asked, please share the non-working VIP config in CLI under "config firewall vip". My guess is VIP itself is working to reach the VM but the returning traffic has different source IP or something like that.

 

Toshi

faizneer
New Contributor

HI @hbac   HERE IS A DEBUG FLOW 

 

########vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240
########allocate a new session-001f1695, tun_id=0.0.0.0           
########in-[SOLUTIONS-2068], out-[]             
########len=1               
########checking gnum-100000 policy-3            
########find DNAT: IP-192.168.160.34, port-0(fixed port)           
########matched policy-3, act=accept, vip=3, flag=104, sflag=2000000          
########result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104        
########VIP-192.168.160.34:443, outdev-SOLUTIONS-2068           
########DNAT 116.0.59.170:443->192.168.160.34:443           
########Match policy routing id=9: to 192.168.160.34 via ifindex-44          
########reverse path check fail, drop             
########trace               
                 
158                
########vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240
########allocate a new session-001f1696, tun_id=0.0.0.0           
########in-[SOLUTIONS-2068], out-[]             
########len=1               
########checking gnum-100000 policy-3            
########find DNAT: IP-192.168.160.34, port-0(fixed port)           
########matched policy-3, act=accept, vip=3, flag=104, sflag=2000000          
########result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104        
########VIP-192.168.160.34:443, outdev-SOLUTIONS-2068           
########DNAT 116.0.59.170:443->192.168.160.34:443           
########Match policy routing id=9: to 192.168.160.34 via ifindex-44          
########reverse path check fail, drop             
########trace               
                 
159                
########vd-root:0 received a packet(proto=6, 154.198.114.234:39640->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1052054648, ack 0, win 64240
########allocate a new session-001f1698, tun_id=0.0.0.0           
########in-[SOLUTIONS-2068], out-[]             
########len=1               
########checking gnum-100000 policy-3            
########find DNAT: IP-192.168.160.34, port-0(fixed port)           
########matched policy-3, act=accept, vip=3, flag=104, sflag=2000000          
########result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104        
########VIP-192.168.160.34:443, outdev-SOLUTIONS-2068           
########DNAT 116.0.59.170:443->192.168.160.34:443           
########Match policy routing id=9: to 192.168.160.34 via ifindex-44          
########reverse path check fail, drop             
########trace               
                 
160                
########vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240
########allocate a new session-001f1699, tun_id=0.0.0.0           
########in-[SOLUTIONS-2068], out-[]             
########len=1               
########checking gnum-100000 policy-3            
########find DNAT: IP-192.168.160.34, port-0(fixed port)           
########matched policy-3, act=accept, vip=3, flag=104, sflag=2000000          
########result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104        
########VIP-192.168.160.34:443, outdev-SOLUTIONS-2068           
########DNAT 116.0.59.170:443->192.168.160.34:443           
########Match policy routing id=9: to 192.168.160.34 via ifindex-44          
########reverse path check fail, drop             
########trace               
                 
161                
########vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240
########allocate a new session-001f169a, tun_id=0.0.0.0           
########in-[SOLUTIONS-2068], out-[]             
########len=1               
########checking gnum-100000 policy-3            
########find DNAT: IP-192.168.160.34, port-0(fixed port)           
########matched policy-3, act=accept, vip=3, flag=104, sflag=2000000          
########result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104        
########VIP-192.168.160.34:443, outdev-SOLUTIONS-2068           
########DNAT 116.0.59.170:443->192.168.160.34:443           
########Match policy routing id=9: to 192.168.160.34 via ifindex-44          
########reverse path check fail, drop             
########trace               
faizneer
New Contributor

HI @hbac here is a debug flow 

 

 
157
11/29/2023 17:18 vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240
11/29/2023 17:18 allocate a new session-001f1695, tun_id=0.0.0.0
11/29/2023 17:18 in-[SOLUTIONS-2068], out-[]
11/29/2023 17:18 len=1
11/29/2023 17:18 checking gnum-100000 policy-3
11/29/2023 17:18 find DNAT: IP-192.168.160.34, port-0(fixed port)
11/29/2023 17:18 matched policy-3, act=accept, vip=3, flag=104, sflag=2000000
11/29/2023 17:18 result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104
11/29/2023 17:18 VIP-192.168.160.34:443, outdev-SOLUTIONS-2068
11/29/2023 17:18 DNAT 116.0.59.170:443->192.168.160.34:443
11/29/2023 17:18 Match policy routing id=9: to 192.168.160.34 via ifindex-44
11/29/2023 17:18 reverse path check fail, drop
11/29/2023 17:18 trace
 
158
11/29/2023 17:18 vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240
11/29/2023 17:18 allocate a new session-001f1696, tun_id=0.0.0.0
11/29/2023 17:18 in-[SOLUTIONS-2068], out-[]
11/29/2023 17:18 len=1
11/29/2023 17:18 checking gnum-100000 policy-3
11/29/2023 17:18 find DNAT: IP-192.168.160.34, port-0(fixed port)
11/29/2023 17:18 matched policy-3, act=accept, vip=3, flag=104, sflag=2000000
11/29/2023 17:18 result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104
11/29/2023 17:18 VIP-192.168.160.34:443, outdev-SOLUTIONS-2068
11/29/2023 17:18 DNAT 116.0.59.170:443->192.168.160.34:443
11/29/2023 17:18 Match policy routing id=9: to 192.168.160.34 via ifindex-44
11/29/2023 17:18 reverse path check fail, drop
11/29/2023 17:18 trace
Toshi_Esumi

This web access is coming to 116.0.59.170, which is not in those three vlan interfaces you listed toward the router. Your policy route for the 192.168.160.34 server is likely routing toward one of those three interfaces, and that's why it ends up with  "reverse path check fail, drop".

Toshi

Toshi_Esumi

Or, maybe this IP 116.0.59.170 is routed through one of those three vlans to reach the FGT, then your policy route for the 192.168.160.34 server's internet is pointing to a different vlan interface. Then the "reverse path" is different and dropped.
This is more likely the case.

faizneer

hi @Toshi_Esumi  Previously i disabled voip inspection on fortigate 

to allow voice traffic smoothly , is there any relation  b/w   to reach web server through dnat ?? means this not causing the issue ??

 

commands used to disable inspection mentioned below:

 

config system settings
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end

 

config voip profile
edit default
config sip
set rtp disable
end
end


config system session-helper
delete 12

 

Thanks ,

 

Toshi_Esumi

Shouldn't be. Web access generally don't use SIP port (5060 by default).

 

Toshi

hbac

@faizneer,

 

Traffic is coming from 154.198.114.234 via SOLUTIONS-2068 interface and got dropped due to reverse path check fail, drop. That means you don't have a route back to 154.198.114.234 via SOLUTIONS-2068.

 

Please check your route by running 'get router info routing-table detail 154.198.114.234'. 

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors