Perimiter-FW-1 # id=20085 trace_id=169 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=169 func=init_ip_session_common line=6046 msg="allocate a new session-000046dd, tun_id=0.0.0.0"
id=20085 trace_id=169 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=169 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=169 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=169 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=170 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=170 func=init_ip_session_common line=6046 msg="allocate a new session-000046de, tun_id=0.0.0.0"
id=20085 trace_id=170 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=170 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=170 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=170 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=171 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=171 func=init_ip_session_common line=6046 msg="allocate a new session-000046df, tun_id=0.0.0.0"
id=20085 trace_id=171 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=171 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=171 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=171 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=172 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=172 func=init_ip_session_common line=6046 msg="allocate a new session-000046e0, tun_id=0.0.0.0"
id=20085 trace_id=172 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=172 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=172 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=172 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=173 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=173 func=init_ip_session_common line=6046 msg="allocate a new session-000046e1, tun_id=0.0.0.0"
id=20085 trace_id=173 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=173 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=173 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=173 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=174 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=174 func=init_ip_session_common line=6046 msg="allocate a new session-000046e2, tun_id=0.0.0.0"
id=20085 trace_id=174 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=174 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=174 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=174 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=175 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=175 func=init_ip_session_common line=6046 msg="allocate a new session-000046e3, tun_id=0.0.0.0"
id=20085 trace_id=175 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=175 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=175 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=175 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=176 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=176 func=init_ip_session_common line=6046 msg="allocate a new session-000046e7, tun_id=0.0.0.0"
id=20085 trace_id=176 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=176 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=176 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=176 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=177 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:59286->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=177 func=init_ip_session_common line=6046 msg="allocate a new session-000046e9, tun_id=0.0.0.0"
id=20085 trace_id=177 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=177 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=177 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=177 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=178 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57329->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=178 func=init_ip_session_common line=6046 msg="allocate a new session-000046eb, tun_id=0.0.0.0"
id=20085 trace_id=178 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=178 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=178 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=178 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
@fortinet Firewall has big malfunction if you have know about this solution please arrange a meeting.
Hello @producttechlab ,
Can you check these two matters?
-Did you configure SNAT on your firewall policy?
-Do you have a valid route for that traffic?
Also, this platform is a community. Because of that, you can't arrange meetings via this platform. If you want to get support from Fortinet engineers, you can create a case via the support.fortinet.com website.
Perimiter-FW-1 # config firewall policy
Perimiter-FW-1 (policy) # edit 1
Perimiter-FW-1 (1) # show
config firewall policy
edit 1
set name "all"
set uuid cdc38e82-127d-51ef-40ae-a82c017245ed
set srcintf "port1"
set dstintf "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set logtraffic-start enable
set nat enable
next
end
Perimiter-FW-1 (1) #
Created on 05-15-2024 03:07 AM Edited on 05-15-2024 03:12 AM
Hello @producttechlab ,
Can you test access to your GW via FortigateCLI?
execute ping 192.168.56.2
After that can you test to ping 8.8.8.8 via FortiGate CLI?
execute ping-option source <PORT6_IP_ADDR>
execute ping 8.8.8.8
In my opinion, you cant reach your gw or your gw is not forwarding your traffic to the internet.
Perimiter-FW-1 # execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 192.168.56.2 0.783 ms * 1.383 ms
2 * * *
3 192.168.1.1 1.621 ms 1.285 ms 1.073 ms
4 122.169.35.1 <abts-mh-dynamic-001.35.169.122.airtelbroadband.in> 12.471 ms 6.429 ms 5.899 ms
5 125.18.13.225 7.450 ms 6.276 ms 10.388 ms
6 182.79.142.222 50.427 ms 49.947 ms *
7 142.250.169.206 41.426 ms 70.014 ms 40.670 ms
8 142.250.208.105 51.252 ms 50.703 ms 51.635 ms
9 142.251.55.207 51.246 ms 50.443 ms 50.087 ms
10 8.8.8.8 <dns.google> 49.945 ms 50.250 ms 50.325 ms
Perimiter-FW-1 #
This is not problem only internet problem also mpls side
Problem is traffic has not move to another interface or oposite side device
FW>>Internet
FW >>MPLS
Traffic has received from port1(Internally) but not forward mpls and internet.one more thing I am able to ping FW interface ip adress.
Hi @producttechlab ,
From the logs you shared, I agree with @ozkanaltas , "you cant reach your gw or your gw is not forwarding your traffic to the internet. "
Please try to ping your gateway as suggested by @ozkanaltas (if ICMP is allowed).
You can also try to run a packet sniffer:
diag sniffer packet any "host 10.133.100.200 and (host 8.8.8.8 or host 192.168.56.2)" 4 0 l
Best regards,
Perimiter-FW-1 # diag sniffer packet any "host 10.133.100.200 and (host 8.8.8.8 or host 192.168.56.2)" 4 0 l
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.133.100.200 and (host 8.8.8.8 or host 192.168.56.2)]
2024-05-15 15:56:34.740801 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:34.853486 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:34.855606 port1 in 10.133.100.200.54896 -> 8.8.8.8.53: udp 28
2024-05-15 15:56:34.857338 port1 in 10.133.100.200.51735 -> 8.8.8.8.53: udp 28
2024-05-15 15:56:35.058590 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:35.749083 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:35.858281 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:36.062205 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:36.764766 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:36.874429 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:37.077477 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:38.780626 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:38.891836 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:39.078018 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:42.783625 port1 in 10.133.100.200.65167 -> 8.8.8.8.53: udp 31
2024-05-15 15:56:42.893237 port1 in 10.133.100.200.56320 -> 8.8.8.8.53: udp 30
2024-05-15 15:56:43.080281 port1 in 10.133.100.200.49858 -> 8.8.8.8.53: udp 47
2024-05-15 15:56:45.062923 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:46.049826 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:47.061310 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:49.076062 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:53.080089 port1 in 10.133.100.200.58800 -> 8.8.8.8.53: udp 34
2024-05-15 15:56:59.256727 port1 in 10.133.100.200 -> 192.168.56.2: icmp: echo request
2024-05-15 15:57:03.858861 port1 in 10.133.100.200 -> 192.168.56.2: icmp: echo request
2024-05-15 15:57:08.861434 port1 in 10.133.100.200 -> 192.168.56.2: icmp: echo request
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.