- ONE DEFAULT ROUTE FOR INTERNET WORKING ...
- 2 POLICY BASED ROUTES FOR EACH VM , ONE FOR FORWARD ONR FOR BACKWARD ...
- 1 POLICY FOR LAN TO WAN FOR INTERNET
- 2 POLICIES FOR EACH VM , ONE FOR FORWARD AND SECOND FOR BACKWARD
- VIP IS USED FOR EACH VM
- ONE SERVER IS SIP SERVER , WHICH IS WORKING FINE , INGOING AND OUTGOING
- ONE SERVER IS WEB SERVER , WHICH IS NOT ACCESSIBLE VIA VIP
WHAT COULD BE THE REASONS ? I CAN GIVE MORE DETAIL IF ASK
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @faizneer,
We need to run debug flow to see how the traffic flow. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Below is an example of debug flow filter:
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 172.16.102.20 <<< Source IP address
di deb flow filter port 23 <<< Port number if applicable. If not, remove this line.
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
Created on 11-30-2023 08:15 AM Edited on 11-30-2023 08:16 AM
In addition to the debug log above @hbac asked, please share the non-working VIP config in CLI under "config firewall vip". My guess is VIP itself is working to reach the VM but the returning traffic has different source IP or something like that.
Toshi
HI @hbac HERE IS A DEBUG FLOW
######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240 | |||||||||||||||
######## | allocate a new session-001f1695, tun_id=0.0.0.0 | |||||||||||||||
######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
######## | len=1 | |||||||||||||||
######## | checking gnum-100000 policy-3 | |||||||||||||||
######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
######## | reverse path check fail, drop | |||||||||||||||
######## | trace | |||||||||||||||
158 | ||||||||||||||||
######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240 | |||||||||||||||
######## | allocate a new session-001f1696, tun_id=0.0.0.0 | |||||||||||||||
######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
######## | len=1 | |||||||||||||||
######## | checking gnum-100000 policy-3 | |||||||||||||||
######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
######## | reverse path check fail, drop | |||||||||||||||
######## | trace | |||||||||||||||
159 | ||||||||||||||||
######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39640->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1052054648, ack 0, win 64240 | |||||||||||||||
######## | allocate a new session-001f1698, tun_id=0.0.0.0 | |||||||||||||||
######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
######## | len=1 | |||||||||||||||
######## | checking gnum-100000 policy-3 | |||||||||||||||
######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
######## | reverse path check fail, drop | |||||||||||||||
######## | trace | |||||||||||||||
160 | ||||||||||||||||
######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240 | |||||||||||||||
######## | allocate a new session-001f1699, tun_id=0.0.0.0 | |||||||||||||||
######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
######## | len=1 | |||||||||||||||
######## | checking gnum-100000 policy-3 | |||||||||||||||
######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
######## | reverse path check fail, drop | |||||||||||||||
######## | trace | |||||||||||||||
161 | ||||||||||||||||
######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240 | |||||||||||||||
######## | allocate a new session-001f169a, tun_id=0.0.0.0 | |||||||||||||||
######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
######## | len=1 | |||||||||||||||
######## | checking gnum-100000 policy-3 | |||||||||||||||
######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
######## | reverse path check fail, drop | |||||||||||||||
######## | trace |
HI @hbac here is a debug flow
This web access is coming to 116.0.59.170, which is not in those three vlan interfaces you listed toward the router. Your policy route for the 192.168.160.34 server is likely routing toward one of those three interfaces, and that's why it ends up with "reverse path check fail, drop".
Toshi
Created on 11-30-2023 11:22 AM Edited on 11-30-2023 11:22 AM
Or, maybe this IP 116.0.59.170 is routed through one of those three vlans to reach the FGT, then your policy route for the 192.168.160.34 server's internet is pointing to a different vlan interface. Then the "reverse path" is different and dropped.
This is more likely the case.
hi @Toshi_Esumi Previously i disabled voip inspection on fortigate
to allow voice traffic smoothly , is there any relation b/w to reach web server through dnat ?? means this not causing the issue ??
commands used to disable inspection mentioned below:
config system settings
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end
config voip profile
edit default
config sip
set rtp disable
end
end
config system session-helper
delete 12
Thanks ,
Shouldn't be. Web access generally don't use SIP port (5060 by default).
Toshi
Traffic is coming from 154.198.114.234 via SOLUTIONS-2068 interface and got dropped due to reverse path check fail, drop. That means you don't have a route back to 154.198.114.234 via SOLUTIONS-2068.
Please check your route by running 'get router info routing-table detail 154.198.114.234'.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.