Virtual Server Cannot Connect to Outside

polarpanda · ‎01-07-2020

Hi there,

I'm new to fortigate. I am trying to figure out why a virtual server stuck at firewall without denied policy setup. It used to work. When I did traceroute on the server, it stopped at the firewall. I don't see any policy to deny the server. Is there any other troubleshooting I can do? Thank you.

ede_pfau · ‎01-08-2020

Did you

1- 'diag debug enable'

2- check the gateway setting on the server?

Ede Kernel panic: Aiee, killing interrupt handler!

polarpanda · ‎01-08-2020

Sorry, it's my fault, ede. I was working on another similar issue, so I accidentally chose another firewall. Here is result, but I don't see the ICMP keywords you mentioned:

5.126853 portxx in 10.x.x.x -> 8.8.8.8: icmp: echo request

9.756878 portxx in 10.x.x.x -> 8.8.8.8: icmp: echo request

14.757128 portxx in 10.x.x.x -> 8.8.8.8: icmp: echo request

19.757406 portxx in 10.x.x.x -> 8.8.8.8: icmp: echo request

emnoc · ‎01-08-2020

Agreed use diag debug flow, this ensures that the traffic that's expected is or is not reaching the firewall and the output will show allow/drop and any nat if applicable. It's always your 1st step in diagnostics , imho

Ken Felix

PCNSE

NSE

StrongSwan

polarpanda · ‎01-08-2020

Hi Ken,

Thank you for the advise. I'm really not familiar with fortinet commands. What's the different between your suggestion and Edes'?

ede_pfau · ‎01-08-2020

OK, so the gateway setting on the server is correct, traffic to internet is hitting the FGT.

Now you need to use the 'diag debug flow' command -

diag debug flow filter clear

diag debug flow filter proto 1

diag debug flow show cons ena

diag debug flow show fun ena

diag debug flow show iprop ena

diag debug flow trace start 10

and ping away...trace will show you 10 events. Post one here.

(don't worry if you receive errors with the 'show' commands, they depend on the FOS version)

Ede Kernel panic: Aiee, killing interrupt handler!

polarpanda · ‎01-08-2020

diag debug flow show cons ena

command not available

ede_pfau · ‎01-08-2020

as I wrote, don't worry about errors...in v6.x, 'show console enable' is enabled by default, and not changeable anymore. Results?

Ede Kernel panic: Aiee, killing interrupt handler!

polarpanda · ‎01-08-2020

ede_pfau wrote:
as I wrote, don't worry about errors...in v6.x, 'show console enable' is enabled by default, and not changeable anymore. Results?

Sorry, Ede. I understood now. Here is one of the events' result:

2020-01-08 10:38:06 id=20085 trace_id=3016 func=print_pkt_detail line=5375 msg="vd-root received a packet(proto=1, 10.1.x.x:471xx->10.101.x.x:0) from local. type=0, code=0, id=471xx, seq=179." 2020-01-08 10:38:06 id=20085 trace_id=3016 func=resolve_ip_tuple_fast line=5450 msg="Find an existing session, id-0a24f499, reply direction"

ede_pfau · ‎01-12-2020

That is not sufficient to tell. Could you post more output, like 10 messages?

Ede Kernel panic: Aiee, killing interrupt handler!

polarpanda · ‎01-13-2020

Thank you for following it up, Ede. We found the problem. It's caused by our nutanix configuration. So the firewall site is all good. Thanks.

Virtual Server Cannot Connect to Outside

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website