Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
philip_nl
New Contributor

Created on ‎04-13-2023 05:22 AM

Policy lookup failed to match any policies from source interface to destination interface

Hello,

I run into issues with a "simple" policy.

Here some screenshots to explain the problem.

 

One policy 16 that allows all from "dial-up" to "root-vpn0". Counters going up:

policy-lookup-failed-01.jpg

 

Policy lookup failed for one I am sure that one should match the above one ID 16:

policy-lookup-failed-02.jpg

A route lookup that looks good to me:

policy-lookup-failed-03.jpg

Hitting 0.0.0.0/0:

policy-lookup-failed-04.jpg

 

Even "diagnose debug flow" looks good:

policy-lookup-failed-05.jpg

 

But no page displayed on the browser on client ip-address: 10.64.1.2

Did troubleshooting with an extra switch, new extra VDOM, factory-reset restore config, but no succes.

Does anyone can give me a hint to look for?

Kind regards,

Philip

 

Philip
Philip
Labels:
5110
0 Kudos
8 REPLIES 8
Shilpa1
Staff
Staff

Created on ‎04-13-2023 05:33 AM

Hello Philip,

Check if the policy is enabled and in the right sequence: Ensure that the policy is enabled and in the right sequence to be matched. The policy sequence can be checked in the policy section of the GUI.

 

Clear the cache: Clear the cache in your web browser and refresh the page. This will ensure that the page is loaded with the latest information from the FortiGate unit.

 

Try a different browser: Try accessing the FortiGate GUI from a different browser. If the issue persists, try accessing it from a different machine.

Regards,

Shilpa

5104
0 Kudos
funkylicious
SuperUser
SuperUser

Created on ‎04-13-2023 05:33 AM

Hi,

Can you post the output for:

get router info routing-table details IP , for both IPs?

"jack of all trades, master of none"
"jack of all trades, master of none"
5104
0 Kudos
philip_nl
New Contributor
In response to funkylicious

Created on ‎04-13-2023 10:20 AM

Here the requested info:

 

FG100D-D (root) # get router info routing-table details 10.63.1.3

Routing table for VRF=0
Routing entry for 10.63.1.0/24
Known via "ospf", distance 110, metric 11, best
Last update 00:11:34 ago
* 10.77.1.5, via dial-up_0

 

FG100D-D (root) # get router info routing-table details 171.22.67.34

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "ospf", distance 110, metric 10, best
Last update 00:10:27 ago
* 10.0.199.2, via root-vpn0

 

Kind regards,

Philip

Philip
Philip
5081
0 Kudos
funkylicious
SuperUser
SuperUser
In response to philip_nl

Created on ‎04-13-2023 10:27 AM

Very strange. Maybe it's just a visual thing in the GUI ?

Does a policy lookup from the CLI say that it doesnt match any rule ?

diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

 

If I understand correctly the traffic is working as expected as for the debug flow ?

"jack of all trades, master of none"
"jack of all trades, master of none"
5080
0 Kudos
philip_nl
New Contributor
In response to funkylicious

Created on ‎04-13-2023 10:40 AM

The "diagnose debug flow" gives an "Allowed by Policy-16", the correct policy.

 

Here the output of 2 times the diagnose firewall iprope lookup:

 

FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 61628 171.22.67.34 443 6 dial-up
<src [10.63.1.3-61628] dst [171.22.67.34-443] proto 6 dev dial-up> doesn't match any policy.
Command fail. Return code -49

FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 0 171.22.67.34 443 6 dial-up
<src [10.63.1.3-0] dst [171.22.67.34-443] proto 6 dev dial-up> doesn't match any policy.
Command fail. Return code -49

 

 

Philip
Philip
5079
0 Kudos
funkylicious
SuperUser
SuperUser
In response to philip_nl

Created on ‎04-13-2023 10:54 AM

Maybe you need dial-up_0 ?

"jack of all trades, master of none"
"jack of all trades, master of none"
5078
0 Kudos
philip_nl
New Contributor
In response to funkylicious

Created on ‎04-13-2023 11:23 AM

That one looks better:

 

FG100D-D (root) # diagnose firewall iprope lookup 10.63.1.3 0 171.22.67.34 443 6 dial-up_0
<src [10.63.1.3-0] dst [171.22.67.34-443] proto 6 dev dial-up_0> matches policy id: 16

 

I'll check the OSPF config.

 

Philip
Philip
5071
0 Kudos
philip_nl
New Contributor

Created on ‎04-16-2023 12:12 PM

Found the problem. An upstream FortiGate had a static route.

Troubleshooting this issue, I used "Policy Lookup" on a downstream FortiGate, the FortiGate where I worked on. This one finally didn't had an issue.

 

But, why didn't the Policy Lookup work. Here my troubleshooting steps.

 

The command: diag firewall iprope lookup <src_ip> <src_port> <dst_ip> <dst_port> <protocol> <Source interface>

This one helped me.

 

Here a policy match for 1 lan interface and 2 dial-up interfaces. Notice the "dial-up_1" and "dial-up_0":

FG-01.jpg

 

In the Monitor => IPsec Monitor section, there are 2 tunnels, dial-up_0 and dial-up_1:

FG-03-IPsec.jpg

 

The policies 22, 23 and 25, see above diagnose screenshot, have counters increasing:

FG-04-policies.jpg

 

But the Policy Lookup:

FG-05-policy-lookup.jpg

 

just doesn't show up interfaces dial-up_0 and dial-up_1, instead of the lan interfaces which is shown.

 

The CLI diag firewall iprope lookup works, the GUI simply does not for dial-up interfaces.

 

Above troubleshooting was on:

FortiGate 100D

v6.2.13 build1343 (GA)

 

 

Philip
Philip
5042
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.