Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
philip_nl
New Contributor

Policy lookup failed to match any policies from source interface to destination interface

Hello,

I run into issues with a "simple" policy.

Here some screenshots to explain the problem.

 

One policy 16 that allows all from "dial-up" to "root-vpn0". Counters going up:

policy-lookup-failed-01.jpg

 

Policy lookup failed for one I am sure that one should match the above one ID 16:

policy-lookup-failed-02.jpg

A route lookup that looks good to me:

policy-lookup-failed-03.jpg

Hitting 0.0.0.0/0:

policy-lookup-failed-04.jpg

 

Even "diagnose debug flow" looks good:

policy-lookup-failed-05.jpg

 

But no page displayed on the browser on client ip-address: 10.64.1.2

Did troubleshooting with an extra switch, new extra VDOM, factory-reset restore config, but no succes.

Does anyone can give me a hint to look for?

Kind regards,

Philip

 

Philip
Philip
8 REPLIES 8
Shilpa1
Staff
Staff

Hello Philip,

Check if the policy is enabled and in the right sequence: Ensure that the policy is enabled and in the right sequence to be matched. The policy sequence can be checked in the policy section of the GUI.

 

Clear the cache: Clear the cache in your web browser and refresh the page. This will ensure that the page is loaded with the latest information from the FortiGate unit.

 

Try a different browser: Try accessing the FortiGate GUI from a different browser. If the issue persists, try accessing it from a different machine.

Regards,

Shilpa

funkylicious
SuperUser
SuperUser

Hi,

Can you post the output for:

get router info routing-table details IP , for both IPs?

"jack of all trades, master of none"
"jack of all trades, master of none"
philip_nl

Here the requested info:

 

FG100D-D (root) # get router info routing-table details 10.63.1.3

Routing table for VRF=0
Routing entry for 10.63.1.0/24
Known via "ospf", distance 110, metric 11, best
Last update 00:11:34 ago
* 10.77.1.5, via dial-up_0

 

FG100D-D (root) # get router info routing-table details 171.22.67.34

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "ospf", distance 110, metric 10, best
Last update 00:10:27 ago
* 10.0.199.2, via root-vpn0

 

Kind regards,

Philip

Philip
Philip
funkylicious

Very strange. Maybe it's just a visual thing in the GUI ?

Does a policy lookup from the CLI say that it doesnt match any rule ?

diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

 

If I understand correctly the traffic is working as expected as for the debug flow ?

"jack of all trades, master of none"
"jack of all trades, master of none"
philip_nl

The "diagnose debug flow" gives an "Allowed by Policy-16", the correct policy.

 

Here the output of 2 times the diagnose firewall iprope lookup:

 

FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 61628 171.22.67.34 443 6 dial-up
<src [10.63.1.3-61628] dst [171.22.67.34-443] proto 6 dev dial-up> doesn't match any policy.
Command fail. Return code -49

FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 0 171.22.67.34 443 6 dial-up
<src [10.63.1.3-0] dst [171.22.67.34-443] proto 6 dev dial-up> doesn't match any policy.
Command fail. Return code -49

 

 

Philip
Philip
funkylicious

Maybe you need dial-up_0 ?

"jack of all trades, master of none"
"jack of all trades, master of none"
philip_nl

That one looks better:

 

FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 0 171.22.67.34 443 6 dial-up_0
<src [10.63.1.3-0] dst [171.22.67.34-443] proto 6 dev dial-up_0> matches policy id: 16

 

I'll check the OSPF config.

 

Philip
Philip
philip_nl
New Contributor

Found the problem. An upstream FortiGate had a static route.

Troubleshooting this issue, I used "Policy Lookup" on a downstream FortiGate, the FortiGate where I worked on. This one finally didn't had an issue.

 

But, why didn't the Policy Lookup work. Here my troubleshooting steps.

 

The command: diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

This one helped me.

 

Here a policy match for 1 lan interface and 2 dial-up interfaces. Notice the "dial-up_1" and "dial-up_0":

FG-01.jpg

 

In the Monitor => IPsec Monitor section, there are 2 tunnels, dial-up_0 and dial-up_1:

FG-03-IPsec.jpg

 

The policies 22, 23 and 25, see above diagnose screenshot, have counters increasing:

FG-04-policies.jpg

 

But the Policy Lookup:

FG-05-policy-lookup.jpg

 

just doesn't show up interfaces dial-up_0 and dial-up_1, instead of the lan interfaces which is shown.

 

The CLI diag firewall iprope lookup works, the GUI simply does not for dial-up interfaces.

 

Above troubleshooting was on:

FortiGate 100D

v6.2.13 build1343 (GA)

 

 

Philip
Philip
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors