Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
producttechlab
New Contributor

Created on ‎05-14-2024 11:35 PM Edited on ‎05-14-2024 11:38 PM

Traffic is not forwards to another interface

Screenshot 2024-05-15 115736.pngPerimiter-FW-1 # diagnose sniffer packet any 'host 10.133.100.200' 4 0
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.133.100.200]
4.666574 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
9.533884 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
14.535665 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
19.536267 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request

10.133.100.200 >> Source

Perimiter-FW-1 # diag sniffer packet any 'host 8.8.8.8' 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8]
2024-05-15 06:03:44.953446 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
2024-05-15 06:03:49.532932 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
2024-05-15 06:03:54.533584 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
2024-05-15 06:03:59.531917 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
8.8.8.8 >. DST

 

Welcome!

Perimiter-FW-1 #
Perimiter-FW-1 #
Perimiter-FW-1 #
Perimiter-FW-1 # execute ping 10.133.100.200
PING 10.133.100.200 (10.133.100.200): 56 data bytes
64 bytes from 10.133.100.200: icmp_seq=0 ttl=127 time=6.3 ms
64 bytes from 10.133.100.200: icmp_seq=1 ttl=127 time=3.7 ms
64 bytes from 10.133.100.200: icmp_seq=2 ttl=127 time=3.8 ms
64 bytes from 10.133.100.200: icmp_seq=3 ttl=127 time=3.9 ms
64 bytes from 10.133.100.200: icmp_seq=4 ttl=127 time=3.9 ms

--- 10.133.100.200 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.7/4.3/6.3 ms

Perimiter-FW-1 # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=50.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=50.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=50.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=50.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=50.5 ms

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 50.1/50.3/50.5 ms

Perimiter-FW-1 # get router
access-list Configure access lists.
access-list6 Configure IPv6 access lists.
aspath-list Configure Autonomous System (AS) path lists.

Perimiter-FW-1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.56.2, port6, [1/0]
S 10.133.0.0/24 [1/0] via 172.16.10.1, port1, [2/0]
S 10.133.1.0/24 [1/0] via 172.16.10.1, port1, [2/0]
S 10.133.2.0/24 [1/0] via 172.16.10.1, port1, [2/0]
S 10.133.100.0/24 [1/0] via 172.16.10.1, port1, [2/0]
C 172.16.10.0/24 is directly connected, port1
C 172.16.20.0/24 is directly connected, port2
C 192.168.56.0/24 is directly connected, port6

 

Firewall Rule

Perimiter-FW-1 # config firewall policy

Perimiter-FW-1 (policy) # edit 1

Perimiter-FW-1 (1) # show
config firewall policy
edit 1
set name "all"
set uuid cdc38e82-127d-51ef-40ae-a82c017245ed
set srcintf "port1" "port2" "port6"
set dstintf "port1" "port2" "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end

Perimiter-FW-1 (1) #

 

 

 

@fortinet 

Traffic has reached firewall perfectly but traffic is not forward another interface rule has all allowed let me know why and how to resolve this issue.

soudwip ghosh
soudwip ghosh
Labels:
235
0 Kudos
5 REPLIES 5
pminarik
Staff
Staff

Created on ‎05-15-2024 12:56 AM

In such situation, debug flow is your next step:

diag debug flow filter clear

diag debug flow filter saddr <src-ip>

diag debug flow filter daddr <dst-ip>

diag debug enable

diag debug flow trace start 10

=> reproduce issue now (the debug will show how the next 10 incoming packets matching the filter are processed)

[ corrections always welcome ]
210
0 Kudos
producttechlab
New Contributor

Created on ‎05-15-2024 01:00 AM Edited on ‎05-15-2024 01:03 AM

Perimiter-FW-1 # id=20085 trace_id=1 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=131."
id=20085 trace_id=1 func=init_ip_session_common line=6046 msg="allocate a new session-00002e98, tun_id=0.0.0.0"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=2 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048)
tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=132."
id=20085 trace_id=2 func=init_ip_session_common line=6046 msg="allocate a new session-00002e9b, tun_id=0.0.0.0"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=3 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048)
tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=133."
id=20085 trace_id=3 func=init_ip_session_common line=6046 msg="allocate a new session-00002ea8, tun_id=0.0.0.0"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=4 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=134."
id=20085 trace_id=4 func=init_ip_session_common line=6046 msg="allocate a new session-00002eaa, tun_id=0.0.0.0"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=5 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=135."
id=20085 trace_id=5 func=init_ip_session_common line=6046 msg="allocate a new session-00002eac, tun_id=0.0.0.0"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=6 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=136."
id=20085 trace_id=6 func=init_ip_session_common line=6046 msg="allocate a new session-00002eae, tun_id=0.0.0.0"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=7 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=137."
id=20085 trace_id=7 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb0, tun_id=0.0.0.0"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"

Perimiter-FW-1 # id=20085 trace_id=8 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=138."
id=20085 trace_id=8 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb2, tun_id=0.0.0.0"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=9 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=139."
id=20085 trace_id=9 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb3, tun_id=0.0.0.0"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=10 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=140."
id=20085 trace_id=10 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb5, tun_id=0.0.0.0"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"

 

__________________________________

NAT

Perimiter-FW-1 # config firewall policy

Perimiter-FW-1 (policy) # edit 1

Perimiter-FW-1 (1) # show
config firewall policy
edit 1
set name "all"
set uuid cdc38e82-127d-51ef-40ae-a82c017245ed
set srcintf "port1" "port2" "port6"
set dstintf "port1" "port2" "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end

Perimiter-FW-1 (1) #

soudwip ghosh
soudwip ghosh
203
0 Kudos
pminarik
Staff
Staff
In response to producttechlab

Created on ‎05-15-2024 01:10 AM

Strangely enough, it seems to "end abruptly".

Can you re-run the debug flow with some additional command?

Add:

diag debug flow show function enable

diag debug flow show iprope enable

...before the last line (flow trace start).

[ corrections always welcome ]
193
0 Kudos
producttechlab
New Contributor
In response to pminarik

Created on ‎05-15-2024 01:15 AM

Perimiter-FW-1 # diag debug flow filter clear

Perimiter-FW-1 # diag debug flow filter saddr 10.133.100.200

Perimiter-FW-1 # diag debug flow filter daddr 8.8.8.8

Perimiter-FW-1 # diag debug flow trace start 20

Perimiter-FW-1 # diag debug flow show function enable
show function name

Perimiter-FW-1 # diag debug flow show iprope enable
show trace messages about iprope

Perimiter-FW-1 # id=20085 trace_id=51 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=51 func=init_ip_session_common line=6046 msg="allocate a new session-000032d5, tun_id=0.0.0.0"
id=20085 trace_id=51 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=51 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=51 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=51 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=52 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=52 func=init_ip_session_common line=6046 msg="allocate a new session-000032d7, tun_id=0.0.0.0"
id=20085 trace_id=52 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=52 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=52 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=52 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=53 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=53 func=init_ip_session_common line=6046 msg="allocate a new session-000032d8, tun_id=0.0.0.0"
id=20085 trace_id=53 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=53 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=53 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=53 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=54 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=54 func=init_ip_session_common line=6046 msg="allocate a new session-000032d9, tun_id=0.0.0.0"
id=20085 trace_id=54 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=54 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=54 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=54 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=55 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=55 func=init_ip_session_common line=6046 msg="allocate a new session-000032dc, tun_id=0.0.0.0"
id=20085 trace_id=55 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=55 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=55 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=55 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=56 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=56 func=init_ip_session_common line=6046 msg="allocate a new session-000032dd, tun_id=0.0.0.0"
id=20085 trace_id=56 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=56 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=56 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=56 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=57 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=57 func=init_ip_session_common line=6046 msg="allocate a new session-000032de, tun_id=0.0.0.0"
id=20085 trace_id=57 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=57 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=57 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=57 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=58 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=58 func=init_ip_session_common line=6046 msg="allocate a new session-000032eb, tun_id=0.0.0.0"
id=20085 trace_id=58 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=58 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=58 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=58 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=59 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=59 func=init_ip_session_common line=6046 msg="allocate a new session-000032ed, tun_id=0.0.0.0"
id=20085 trace_id=59 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=59 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=59 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=59 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=60 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=60 func=init_ip_session_common line=6046 msg="allocate a new session-000032ef, tun_id=0.0.0.0"
id=20085 trace_id=60 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=60 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=60 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=60 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=61 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=61 func=init_ip_session_common line=6046 msg="allocate a new session-000032f2, tun_id=0.0.0.0"
id=20085 trace_id=61 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=61 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=61 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=61 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=62 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57356->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=62 func=init_ip_session_common line=6046 msg="allocate a new session-000032f3, tun_id=0.0.0.0"
id=20085 trace_id=62 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=62 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=62 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=62 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=63 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:49258->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=63 func=init_ip_session_common line=6046 msg="allocate a new session-000032f4, tun_id=0.0.0.0"
id=20085 trace_id=63 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=63 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=63 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=63 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=64 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=64 func=init_ip_session_common line=6046 msg="allocate a new session-000032f5, tun_id=0.0.0.0"
id=20085 trace_id=64 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=64 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=64 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=64 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=65 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=65 func=init_ip_session_common line=6046 msg="allocate a new session-000032f8, tun_id=0.0.0.0"
id=20085 trace_id=65 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=65 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=65 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=65 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=66 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=66 func=init_ip_session_common line=6046 msg="allocate a new session-000032fa, tun_id=0.0.0.0"
id=20085 trace_id=66 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=66 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=66 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=66 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=67 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=67 func=init_ip_session_common line=6046 msg="allocate a new session-000032fe, tun_id=0.0.0.0"
id=20085 trace_id=67 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=67 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=67 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=67 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=68 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:63029->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=68 func=init_ip_session_common line=6046 msg="allocate a new session-00003304, tun_id=0.0.0.0"
id=20085 trace_id=68 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=68 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=68 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=68 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=69 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:63029->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=69 func=init_ip_session_common line=6046 msg="allocate a new session-00003305, tun_id=0.0.0.0"
id=20085 trace_id=69 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=69 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=69 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=69 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=70 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:63029->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=70 func=init_ip_session_common line=6046 msg="allocate a new session-00003307, tun_id=0.0.0.0"
id=20085 trace_id=70 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=70 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=70 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=70 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"

Perimiter-FW-1 #

soudwip ghosh
soudwip ghosh
191
0 Kudos
pminarik
Staff
Staff
In response to producttechlab

Created on ‎05-15-2024 01:50 AM

I'm afraid I'm not sure what's going on there, so I'll let others chip in.

 

Off the top of my head, I would suggest checking some common "trouble-makers":

- Review the config to make sure that the destination IP doesn't overlap with any existing VIP or IP pool

- Check if the source IP is banned (diag user quarantine list).

[ corrections always welcome ]
172
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.