Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VBO
New Contributor

Created on ‎03-10-2016 03:31 AM

VIP does not work on new firewall

Hello,

 

I actually change us old FTG60C to an 100D.

 

I had a problem with the VIP and policy's (Port forwarding).

 

I do exactly same VIP's, Policies, Routes, and policy route.

But....

Port Forwarding does not work.

 

In trace i had this :

192.168.51.94 is us Public internal network (my smartphone).

190.12.16.146 is an public IP.

Is like no policy match... strange.

 

FG100Dxxxxxxx # diag debu flow trace stop 2016-03-10 12:14:45 id=20085 trace_id=179 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 192.168.51.94:49008->190.12.16.146:443) from Public_Switch. flag , [strike]seq 16480176, ack 0, win 65535"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=init_ip_session_common line=4868 msg="allocate a new session-0005d8f2"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=iprope_dnat_check line=4655 msg="in-[Public_Switch], out-[]"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=iprope_dnat_tree_check line=837 msg="len=1"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_dnat_policy line=4541 msg="checking gnum-100000 policy-8"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=iprope_dnat_check line=4668 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=vf_ip_route_input_common line=2584 msg="find a route: flag=80000000 gw-190.12.16.146 via root"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=iprope_fwd_check line=630 msg="in-[Public_Switch], out-[wan2], skb_flags-02000000, vid-0"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_tree_check line=545 msg="gnum-100004, use addr/intf hash, len=11"[/strike] [strike]2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gn[/strike]um-100004 policy-5, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-23, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-33, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-29, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-3, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-22, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-25, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-1, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-9, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-19, ret-no-match, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=1826 msg="checked gnum-100004 policy-0, ret-matched, act-accept" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_user_identity_check line=1651 msg="ret-matched" 2016-03-10 12:14:45 id=20085 trace_id=179 func=__iprope_check_one_policy line=2022 msg="policy-0 is matched, act-drop" 2016-03-10 12:14:45 id=20085 trace_id=179 func=fw_local_in_handler line=394 msg=[style="background-color: #ffff00;"]"iprope_in_check() check failed on policy 0, drop[/style]"

 

 

and when i check from the external ip (diag session)

 

 

 

 

2016-03-10 12:23:22 id=20085 trace_id=207 func=init_ip_session_common line=4868 msg="allocate a new session-00060955" 2016-03-10 12:23:22 id=20085 trace_id=207 func=iprope_dnat_check line=4655 msg="in-[wan2], out-[]" 2016-03-10 12:23:22 id=20085 trace_id=207 func=iprope_dnat_tree_check line=837 msg="len=1" 2016-03-10 12:23:22 id=20085 trace_id=207 func=__iprope_check_one_dnat_policy line=4541 msg="checking gnum-100000 policy-8" 2016-03-10 12:23:22 id=20085 trace_id=207 func=iprope_dnat_check line=4668 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" 2016-03-10 12:23:22 id=20085 trace_id=207 func=ip_route_input_slow line=2250 msg="reverse path check fail, drop" 2016-03-10 12:23:22 id=20085 trace_id=207 func=ip_session_handle_no_dst line=4942 msg="trace" 2016-03-10 12:23:22 id=20085 trace_id=208 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 194.230.155.177:38449->190.12.16.146:443) from wan2. flag , seq 2787764793, ack 0, win 65535" 2016-03-10 12:23:22 id=20085 trace_id=208 func=init_ip_session_common line=4868 msg="allocate a new session-0006095a" 2016-03-10 12:23:22 id=20085 trace_id=208 func=iprope_dnat_check line=4655 msg="in-[wan2], out-[]" 2016-03-10 12:23:22 id=20085 trace_id=208 func=iprope_dnat_tree_check line=837 msg="len=1" 2016-03-10 12:23:22 id=20085 trace_id=208 func=__iprope_check_one_dnat_policy line=4541 msg="checking gnum-100000 policy-8" 2016-03-10 12:23:22 id=20085 trace_id=208 func=iprope_dnat_check line=4668 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" 2016-03-10 12:23:22 id=20085 trace_id=208 func=ip_route_input_slow line=2250 msg="[style="background-color: #ffff00;"]reverse path check fail, drop[/style]" 2016-03-10 12:23:22 id=20085 trace_id=208 func=ip_session_handle_no_dst line=4942 msg="trace" 2016-03-10 12:23:22 id=20085 trace_id=209 func=print_pkt_detail line=4717 msg="vd-root received a packet(proto=6, 194.230.155.177:56547->190.12.16.146:443) from wan2. flag , seq 901570253, ack 0, win 65535"

 

 

 

 

Please help me

Need Inverter ? http://www.studer-innotec.com
Need Inverter ? http://www.studer-innotec.com
2929
0 Kudos
0 REPLIES 0
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.