VIPs on loopback with s2s communication

hbuenafe81 · ‎02-04-2024

Gents,

Need your assistance here.. i have a s2s connection and i want the remote side to access my server ports through loopback interface. s2s is up and able to reach my loopback interface, however my VIPs port forwarding using loopback is not responding.. base on my diagnose sniffer shows that remote are able to reach the loopback but no ack receive as shown below.

3953.534013 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3956.547416 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913
3962.546623 TO-JED in 10.1.74.21.65027 -> 10.0.225.102.1200: syn 289683913

----config---

config system interface
edit "Loopback102"
set vdom "root"
set ip 10.0.225.102 255.255.255.255
set allowaccess ping https ssh http fgfm
set type loopback
set role lan
set snmp-index 25

-----------------

config firewall policy
edit 66
set name "ewew"
set uuid 7be5d9e4-c0fc-51ee-71e4-dc872d849459
set srcintf "TO-JED"
set dstintf "Loopback102"
set action accept
set srcaddr "JED-DMZ-SVR"
set dstaddr "iNET-1200"
set schedule "always"
set service "ALL"
set logtraffic all
set comments " "
next
end

edit "iNET-1200"
set uuid 5099f20a-c0f9-51ee-edd8-d4b4f6b515f3
set extip 10.0.225.102
set mappedip "10.3.131.160"
set extintf "any"
set portforward enable
set extport 1200
set mappedport 7000
next

TBogs

ebilcari · ‎02-05-2024

Have you setup two rules in the FW?

1 - From: loop interface To: server interface with destination the VIP

2 - From: external interface or any To: loopback interface

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

hbuenafe81 · ‎02-05-2024

yes and vice versa..

TBogs

hbac · ‎02-05-2024

Hi @hbuenafe81,

Please run debug flow commands suggested by mpeddalla and provide the output if possible. You can also refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Regards,

hbuenafe81 · ‎02-05-2024

thanks hbac, the logs indicate that the traffic is matching the deny all policy. I don't why it hitting to that implicit deny policy. i'll share the logs soon, i was on road driving.

TBogs

hbac · ‎02-05-2024

@hbuenafe81,

From what I see, I believe you need another policy with Loopback102 as incoming interface and outgoing interface should be your internal interface.

Regards,

hbuenafe81 · ‎02-05-2024

thanks the suggestion, i already did this reverse policy but no luck at all.

TBogs

hbac · ‎02-06-2024

Hi @hbuenafe81,

What do you mean reverse policy? Can you show me that policy? Have you had a chance to collect debug flow? https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

Regards,

hbuenafe81 · ‎02-06-2024

hi @hbac, - loopback to VIP server shows no hits but its working.

NSPTSDFW02 # 2024-02-05 16:17:20 id=20085 trace_id=1 func=print_pkt_detail line=5864 msg="vd-root:0 receive                                                                                                                                  d a packet(proto=6, 10.1.74.21:55180->10.0.225.102:1200) tun_id=88.213.97.186 from TO-JED. flag [S], seq 37                                                                                                                                  42292419, ack 0, win 8192"
2024-02-05 16:17:20 id=20085 trace_id=1 func=init_ip_session_common line=6043 msg="allocate a new session-0                                                                                                                                  112797d, tun_id=88.213.97.186"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_dnat_check line=5336 msg="in-[TO-JED], out-[]"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_dnat_tree_check line=827 msg="len=1"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-10                                                                                                                                  0000 policy-39"
2024-02-05 16:17:20 id=20085 trace_id=1 func=get_new_addr line=1221 msg="find DNAT: IP-10.3.131.160, port-7                                                                                                                                  000"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=5291 msg="matched policy-3                                                                                                                                  9, act=accept, vip=39, flag=100, sflag=2000008"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000008, v                                                                                                                                  id-39, ret-matched, act-accept, flag-00000100"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_fwd_check line=782 msg="in-[TO-JED], out-[Loopback102],                                                                                                                                   skb_flags-02000008, vid-39, app_id: 0, url_cat_id: 0"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf h                                                                                                                                  ash, len=5"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-48, ret-no-match, act-accept"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-50, ret-matched, act-accept"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_policy line=2242 msg="policy-50 is matched,                                                                                                                                   act-accept"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): i                                                                                                                                  s_captive-0, ret-matched, act-accept, idx-50"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check                                                                                                                                  (): is_captive-0, ret-matched, act-accept, idx-50"
2024-02-05 16:17:20 id=20085 trace_id=1 func=fw_pre_route_handler line=178 msg="VIP-10.3.131.160:7000, outd                                                                                                                                  ev-unknown"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__ip_session_run_tuple line=3497 msg="DNAT 10.0.225.102:1200->                                                                                                                                  10.3.131.160:7000"
2024-02-05 16:17:20 id=20085 trace_id=1 func=vf_ip_route_input_common line=2611 msg="find a route: flag=000                                                                                                                                  00000 gw-10.3.131.160 via port4"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_fwd_check line=782 msg="in-[Loopback102], out-[port4],                                                                                                                                   skb_flags-020000c0, vid-39, app_id: 0, url_cat_id: 0"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf h                                                                                                                                  ash, len=1"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-0, ret-matched, act-accept"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-02-05 16:17:20 id=20085 trace_id=1 func=__iprope_check_one_policy line=2242 msg="policy-0 is matched,                                                                                                                                   act-drop"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): i                                                                                                                                  s_captive-0, ret-matched, act-drop, idx-0"
2024-02-05 16:17:20 id=20085 trace_id=1 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check                                                                                                                                  (): is_captive-0, ret-matched, act-drop, idx-0"
2024-02-05 16:17:20 id=20085 trace_id=1 func=fw_forward_handler line=719 msg="Denied by forward policy chec                                                                                                                                  k (policy 0)"
2024-02-05 16:17:23 id=20085 trace_id=2 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(pr                                                                                                                                  oto=6, 10.1.74.21:55180->10.0.225.102:1200) tun_id=88.213.97.186 from TO-JED. flag [S], seq 3742292419, ack                                                                                                                                   0, win 8192"
2024-02-05 16:17:23 id=20085 trace_id=2 func=init_ip_session_common line=6043 msg="allocate a new session-0                                                                                                                                  1127991, tun_id=88.213.97.186"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_dnat_check line=5336 msg="in-[TO-JED], out-[]"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_dnat_tree_check line=827 msg="len=1"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-10                                                                                                                                  0000 policy-39"
2024-02-05 16:17:23 id=20085 trace_id=2 func=get_new_addr line=1221 msg="find DNAT: IP-10.3.131.160, port-7                                                                                                                                  000"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_dnat_policy line=5291 msg="matched policy-3                                                                                                                                  9, act=accept, vip=39, flag=100, sflag=2000008"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000008, v                                                                                                                                  id-39, ret-matched, act-accept, flag-00000100"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_fwd_check line=782 msg="in-[TO-JED], out-[Loopback102],                                                                                                                                   skb_flags-02000008, vid-39, app_id: 0, url_cat_id: 0"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf h                                                                                                                                  ash, len=5"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-48, ret-no-match, act-accept"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-50, ret-matched, act-accept"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_policy line=2242 msg="policy-50 is matched,                                                                                                                                   act-accept"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): i                                                                                                                                  s_captive-0, ret-matched, act-accept, idx-50"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check                                                                                                                                  (): is_captive-0, ret-matched, act-accept, idx-50"
2024-02-05 16:17:23 id=20085 trace_id=2 func=fw_pre_route_handler line=178 msg="VIP-10.3.131.160:7000, outd                                                                                                                                  ev-unknown"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__ip_session_run_tuple line=3497 msg="DNAT 10.0.225.102:1200->                                                                                                                                  10.3.131.160:7000"
2024-02-05 16:17:23 id=20085 trace_id=2 func=vf_ip_route_input_common line=2611 msg="find a route: flag=000                                                                                                                                  00000 gw-10.3.131.160 via port4"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_fwd_check line=782 msg="in-[Loopback102], out-[port4],                                                                                                                                   skb_flags-020000c0, vid-39, app_id: 0, url_cat_id: 0"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf h                                                                                                                                  ash, len=1"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-0, ret-matched, act-accept"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-02-05 16:17:23 id=20085 trace_id=2 func=__iprope_check_one_policy line=2242 msg="policy-0 is matched,                                                                                                                                   act-drop"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): i                                                                                                                                  s_captive-0, ret-matched, act-drop, idx-0"
2024-02-05 16:17:23 id=20085 trace_id=2 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check                                                                                                                                  (): is_captive-0, ret-matched, act-drop, idx-0"
2024-02-05 16:17:23 id=20085 trace_id=2 func=fw_forward_handler line=719 msg="Denied by forward policy chec                                                                                                                                  k (policy 0)"
2024-02-05 16:17:29 id=20085 trace_id=3 func=print_pkt_detail line=5864 msg="vd-root:0 received a packet(pr                                                                                                                                  oto=6, 10.1.74.21:55180->10.0.225.102:1200) tun_id=88.213.97.186 from TO-JED. flag [S], seq 3742292419, ack                                                                                                                                   0, win 8192"
2024-02-05 16:17:29 id=20085 trace_id=3 func=init_ip_session_common line=6043 msg="allocate a new session-0                                                                                                                                  11279be, tun_id=88.213.97.186"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_dnat_check line=5336 msg="in-[TO-JED], out-[]"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_dnat_tree_check line=827 msg="len=1"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_dnat_policy line=5196 msg="checking gnum-10                                                                                                                                  0000 policy-39"
2024-02-05 16:17:29 id=20085 trace_id=3 func=get_new_addr line=1221 msg="find DNAT: IP-10.3.131.160, port-7                                                                                                                                  000"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_dnat_policy line=5291 msg="matched policy-3                                                                                                                                  9, act=accept, vip=39, flag=100, sflag=2000008"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_dnat_check line=5348 msg="result: skb_flags-02000008, v                                                                                                                                  id-39, ret-matched, act-accept, flag-00000100"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_fwd_check line=782 msg="in-[TO-JED], out-[Loopback102],                                                                                                                                   skb_flags-02000008, vid-39, app_id: 0, url_cat_id: 0"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf h                                                                                                                                  ash, len=5"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-48, ret-no-match, act-accept"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-50, ret-matched, act-accept"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_policy line=2242 msg="policy-50 is matched,                                                                                                                                   act-accept"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): i                                                                                                                                  s_captive-0, ret-matched, act-accept, idx-50"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check                                                                                                                                  (): is_captive-0, ret-matched, act-accept, idx-50"
2024-02-05 16:17:29 id=20085 trace_id=3 func=fw_pre_route_handler line=178 msg="VIP-10.3.131.160:7000, outd                                                                                                                                  ev-unknown"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__ip_session_run_tuple line=3497 msg="DNAT 10.0.225.102:1200->                                                                                                                                  10.3.131.160:7000"
2024-02-05 16:17:29 id=20085 trace_id=3 func=vf_ip_route_input_common line=2611 msg="find a route: flag=000                                                                                                                                  00000 gw-10.3.131.160 via port4"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_fwd_check line=782 msg="in-[Loopback102], out-[port4],                                                                                                                                   skb_flags-020000c0, vid-39, app_id: 0, url_cat_id: 0"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf h                                                                                                                                  ash, len=1"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_policy line=2025 msg="checked gnum-100004 p                                                                                                                                  olicy-0, ret-matched, act-accept"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_user_identity_check line=1814 msg="ret-matched"
2024-02-05 16:17:29 id=20085 trace_id=3 func=__iprope_check_one_policy line=2242 msg="policy-0 is matched,                                                                                                                                   act-drop"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_fwd_check line=819 msg="after iprope_captive_check(): i                                                                                                                                  s_captive-0, ret-matched, act-drop, idx-0"
2024-02-05 16:17:29 id=20085 trace_id=3 func=iprope_fwd_auth_check line=838 msg="after iprope_captive_check                                                                                                                                  (): is_captive-0, ret-matched, act-drop, idx-0"
2024-02-05 16:17:29 id=20085 trace_id=3 func=fw_forward_handler line=719 msg="Denied by forward policy chec

TBogs

hbac · ‎02-07-2024

@hbuenafe81,

For policy 'loopback-dmz', what do you have in the source field? I believe it is wrong. You can try to set it to all and test.

Regards,

hbuenafe81 · ‎02-05-2024

Gents,

Just an update, I tried to simulate locally and found issue same, what i did is make other interface and create a policy to communicate with loopback and its was successfully. However the same issue, the server port that was assign to loopback via VIPs (multiple test servers and port) are not open. its weird i don't know the issue here. :( Anyone tried VIPs using loopback as external ip?

TBogs