Perimiter-FW-1 # diagnose sniffer packet any 'host 10.133.100.200' 4 0
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.133.100.200]
4.666574 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
9.533884 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
14.535665 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
19.536267 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
10.133.100.200 >> Source
Perimiter-FW-1 # diag sniffer packet any 'host 8.8.8.8' 4 0 a
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.8.8]
2024-05-15 06:03:44.953446 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
2024-05-15 06:03:49.532932 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
2024-05-15 06:03:54.533584 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
2024-05-15 06:03:59.531917 port1 in 10.133.100.200 -> 8.8.8.8: icmp: echo request
8.8.8.8 >. DST
Welcome!
Perimiter-FW-1 #
Perimiter-FW-1 #
Perimiter-FW-1 #
Perimiter-FW-1 # execute ping 10.133.100.200
PING 10.133.100.200 (10.133.100.200): 56 data bytes
64 bytes from 10.133.100.200: icmp_seq=0 ttl=127 time=6.3 ms
64 bytes from 10.133.100.200: icmp_seq=1 ttl=127 time=3.7 ms
64 bytes from 10.133.100.200: icmp_seq=2 ttl=127 time=3.8 ms
64 bytes from 10.133.100.200: icmp_seq=3 ttl=127 time=3.9 ms
64 bytes from 10.133.100.200: icmp_seq=4 ttl=127 time=3.9 ms
--- 10.133.100.200 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 3.7/4.3/6.3 ms
Perimiter-FW-1 # execute ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=50.3 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=50.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=50.1 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=50.2 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=50.5 ms
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 50.1/50.3/50.5 ms
Perimiter-FW-1 # get router
access-list Configure access lists.
access-list6 Configure IPv6 access lists.
aspath-list Configure Autonomous System (AS) path lists.
Perimiter-FW-1 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 192.168.56.2, port6, [1/0]
S 10.133.0.0/24 [1/0] via 172.16.10.1, port1, [2/0]
S 10.133.1.0/24 [1/0] via 172.16.10.1, port1, [2/0]
S 10.133.2.0/24 [1/0] via 172.16.10.1, port1, [2/0]
S 10.133.100.0/24 [1/0] via 172.16.10.1, port1, [2/0]
C 172.16.10.0/24 is directly connected, port1
C 172.16.20.0/24 is directly connected, port2
C 192.168.56.0/24 is directly connected, port6
Firewall Rule
Perimiter-FW-1 # config firewall policy
Perimiter-FW-1 (policy) # edit 1
Perimiter-FW-1 (1) # show
config firewall policy
edit 1
set name "all"
set uuid cdc38e82-127d-51ef-40ae-a82c017245ed
set srcintf "port1" "port2" "port6"
set dstintf "port1" "port2" "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Perimiter-FW-1 (1) #
Traffic has reached firewall perfectly but traffic is not forward another interface rule has all allowed let me know why and how to resolve this issue.
In such situation, debug flow is your next step:
diag debug flow filter clear
diag debug flow filter saddr <src-ip>
diag debug flow filter daddr <dst-ip>
diag debug enable
diag debug flow trace start 10
=> reproduce issue now (the debug will show how the next 10 incoming packets matching the filter are processed)
Perimiter-FW-1 # id=20085 trace_id=1 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=131."
id=20085 trace_id=1 func=init_ip_session_common line=6046 msg="allocate a new session-00002e98, tun_id=0.0.0.0"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=2 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048)
tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=132."
id=20085 trace_id=2 func=init_ip_session_common line=6046 msg="allocate a new session-00002e9b, tun_id=0.0.0.0"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=3 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048)
tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=133."
id=20085 trace_id=3 func=init_ip_session_common line=6046 msg="allocate a new session-00002ea8, tun_id=0.0.0.0"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=4 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=134."
id=20085 trace_id=4 func=init_ip_session_common line=6046 msg="allocate a new session-00002eaa, tun_id=0.0.0.0"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=5 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=135."
id=20085 trace_id=5 func=init_ip_session_common line=6046 msg="allocate a new session-00002eac, tun_id=0.0.0.0"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=6 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=136."
id=20085 trace_id=6 func=init_ip_session_common line=6046 msg="allocate a new session-00002eae, tun_id=0.0.0.0"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=7 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=137."
id=20085 trace_id=7 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb0, tun_id=0.0.0.0"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
Perimiter-FW-1 # id=20085 trace_id=8 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=138."
id=20085 trace_id=8 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb2, tun_id=0.0.0.0"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=9 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=139."
id=20085 trace_id=9 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb3, tun_id=0.0.0.0"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=10 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=1, 10.133.100.200:1->8.8.8.8:2048) tun_id=0.0.0.0 from port1. type=8, code=0, id=1, seq=140."
id=20085 trace_id=10 func=init_ip_session_common line=6046 msg="allocate a new session-00002eb5, tun_id=0.0.0.0"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
__________________________________
NAT
Perimiter-FW-1 # config firewall policy
Perimiter-FW-1 (policy) # edit 1
Perimiter-FW-1 (1) # show
config firewall policy
edit 1
set name "all"
set uuid cdc38e82-127d-51ef-40ae-a82c017245ed
set srcintf "port1" "port2" "port6"
set dstintf "port1" "port2" "port6"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
Perimiter-FW-1 (1) #
Strangely enough, it seems to "end abruptly".
Can you re-run the debug flow with some additional command?
Add:
diag debug flow show function enable
diag debug flow show iprope enable
...before the last line (flow trace start).
Perimiter-FW-1 # diag debug flow filter clear
Perimiter-FW-1 # diag debug flow filter saddr 10.133.100.200
Perimiter-FW-1 # diag debug flow filter daddr 8.8.8.8
Perimiter-FW-1 # diag debug flow trace start 20
Perimiter-FW-1 # diag debug flow show function enable
show function name
Perimiter-FW-1 # diag debug flow show iprope enable
show trace messages about iprope
Perimiter-FW-1 # id=20085 trace_id=51 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=51 func=init_ip_session_common line=6046 msg="allocate a new session-000032d5, tun_id=0.0.0.0"
id=20085 trace_id=51 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=51 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=51 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=51 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=52 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=52 func=init_ip_session_common line=6046 msg="allocate a new session-000032d7, tun_id=0.0.0.0"
id=20085 trace_id=52 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=52 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=52 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=52 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=53 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=53 func=init_ip_session_common line=6046 msg="allocate a new session-000032d8, tun_id=0.0.0.0"
id=20085 trace_id=53 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=53 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=53 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=53 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=54 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=54 func=init_ip_session_common line=6046 msg="allocate a new session-000032d9, tun_id=0.0.0.0"
id=20085 trace_id=54 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=54 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=54 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=54 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=55 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=55 func=init_ip_session_common line=6046 msg="allocate a new session-000032dc, tun_id=0.0.0.0"
id=20085 trace_id=55 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=55 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=55 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=55 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=56 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=56 func=init_ip_session_common line=6046 msg="allocate a new session-000032dd, tun_id=0.0.0.0"
id=20085 trace_id=56 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=56 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=56 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=56 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=57 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=57 func=init_ip_session_common line=6046 msg="allocate a new session-000032de, tun_id=0.0.0.0"
id=20085 trace_id=57 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=57 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=57 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=57 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=58 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=58 func=init_ip_session_common line=6046 msg="allocate a new session-000032eb, tun_id=0.0.0.0"
id=20085 trace_id=58 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=58 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=58 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=58 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=59 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:64733->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=59 func=init_ip_session_common line=6046 msg="allocate a new session-000032ed, tun_id=0.0.0.0"
id=20085 trace_id=59 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=59 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=59 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=59 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=60 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:61523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=60 func=init_ip_session_common line=6046 msg="allocate a new session-000032ef, tun_id=0.0.0.0"
id=20085 trace_id=60 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=60 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=60 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=60 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=61 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=61 func=init_ip_session_common line=6046 msg="allocate a new session-000032f2, tun_id=0.0.0.0"
id=20085 trace_id=61 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=61 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=61 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=61 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=62 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:57356->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=62 func=init_ip_session_common line=6046 msg="allocate a new session-000032f3, tun_id=0.0.0.0"
id=20085 trace_id=62 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=62 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=62 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=62 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=63 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:49258->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=63 func=init_ip_session_common line=6046 msg="allocate a new session-000032f4, tun_id=0.0.0.0"
id=20085 trace_id=63 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=63 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=63 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=63 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=64 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=64 func=init_ip_session_common line=6046 msg="allocate a new session-000032f5, tun_id=0.0.0.0"
id=20085 trace_id=64 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=64 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=64 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=64 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=65 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=65 func=init_ip_session_common line=6046 msg="allocate a new session-000032f8, tun_id=0.0.0.0"
id=20085 trace_id=65 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=65 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=65 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=65 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=66 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=66 func=init_ip_session_common line=6046 msg="allocate a new session-000032fa, tun_id=0.0.0.0"
id=20085 trace_id=66 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=66 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=66 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=66 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=67 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:50523->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=67 func=init_ip_session_common line=6046 msg="allocate a new session-000032fe, tun_id=0.0.0.0"
id=20085 trace_id=67 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=67 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=67 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=67 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=68 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:63029->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=68 func=init_ip_session_common line=6046 msg="allocate a new session-00003304, tun_id=0.0.0.0"
id=20085 trace_id=68 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=68 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=68 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=68 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=69 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:63029->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=69 func=init_ip_session_common line=6046 msg="allocate a new session-00003305, tun_id=0.0.0.0"
id=20085 trace_id=69 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=69 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=69 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=69 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
id=20085 trace_id=70 func=print_pkt_detail line=5867 msg="vd-root:0 received a packet(proto=17, 10.133.100.200:63029->8.8.8.8:53) tun_id=0.0.0.0 from port1. "
id=20085 trace_id=70 func=init_ip_session_common line=6046 msg="allocate a new session-00003307, tun_id=0.0.0.0"
id=20085 trace_id=70 func=iprope_dnat_check line=5336 msg="in-[port1], out-[]"
id=20085 trace_id=70 func=iprope_dnat_tree_check line=827 msg="len=0"
id=20085 trace_id=70 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=70 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.56.2 via port6"
Perimiter-FW-1 #
I'm afraid I'm not sure what's going on there, so I'll let others chip in.
Off the top of my head, I would suggest checking some common "trouble-makers":
- Review the config to make sure that the destination IP doesn't overlap with any existing VIP or IP pool
- Check if the source IP is banned (diag user quarantine list).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.