Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: What am I missing here?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What am I missing here?
I am trying to access a machine that is plugged into Port 6 of my 300C (5.0.7) from a Lan Aggregate port setup. For the life of me I cannot figure out why it isn' t working. I have the policy to allow traffic from the Lann Agg to Port 6, and a policy route so the traffic know where to go. When I try to connect nothing happens and the debug flow looks like this:
ADFG16 # id=13 trace_id=468 msg=" vd-root received a packet(proto=17, 10.1.10.106:138->10.1.10.255:138) from port6."
id=13 trace_id=468 msg=" allocate a new session-016914b0"
id=13 trace_id=468 msg=" find a route: gw-10.1.10.255 via root"
id=13 trace_id=468 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=469 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=469 msg=" allocate a new session-01691627"
id=13 trace_id=469 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=469 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=469 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=470 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=470 msg=" allocate a new session-016916d1"
id=13 trace_id=470 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=470 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=470 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=471 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=471 msg=" allocate a new session-01691730"
id=13 trace_id=471 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=471 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=471 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=472 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=472 msg=" allocate a new session-016917f6"
id=13 trace_id=472 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=472 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=472 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=473 msg=" allocate a new session-01692af5"
id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=473 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=474 msg=" allocate a new session-01692b61"
id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=474 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=475 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=475 msg=" allocate a new session-01692c01"
id=13 trace_id=475 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=475 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=475 msg=" iprope_in_check() check failed, drop"
This is got to be something simple, but after hours of staring I' m just going cross-eyed.
----------------(--
Jeff
----------------(-- Jeff
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain your PBR design and how/were the ip_address of 10.1.10.1 sits in this design ?
Also the " http://kb.fortinet.com/kb/viewContent.do?externalId=FD31702&sliceId=1" will help understand some of the common drops, but iprope_in check is normally when trying to access something local on the firewall and is not allowed or restricted
i.e
ssh
sslvpn
etc.......
How this ( error ) plays in you design, is unclear until we see your pbr and/or better yet a topology map.
My hunch is your PBR is to some other interface on the 300C? But I' m 100% clear on what the LAN_aggr and port6 interfaces are doing, nor what your doing exactly with PBR or why you need it.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 10.1.10.0 is on Port six of the 300C. It contains three servers that connect to the Internet but not to my Production LAN (LAN_Aggr). I want to be able to RDP from the Production network to the servers though, so I can perform administrative maintenance. Before I added the PBR any attempt to reach the 10.1.10.0 network from LAN_Aggr went out the primary internet connection. I have several PBRs due to a need to use a certain Internet connection (IP) for specific sites, and the other connection for everything else. Here are the routes and the policy:
config router policy
edit 23
set input-device " LAN_Aggr"
set src 192.168.0.0 255.255.252.0
set dst 10.1.10.0 255.255.255.0
set gateway 10.1.10.1
set output-device " port6"
next
edit 20
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 208.86.144.199 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " ECL via Exp"
next
edit 21
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 63.86.112.248 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " EStaff via Exp"
next
edit 22
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 67.104.186.15 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " FTP for N24 via Exp"
next
edit 18
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 72.159.68.196 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " AmEmp website via Exp"
next
edit 2
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set gateway 24.123.126.33
set output-device " port3"
set comments " PC Traffic to TWC"
next
edit 3
set input-device " LAN_Aggr"
set src 192.168.0.0 255.255.255.0
set gateway 209.221.7.97
set output-device " port1"
set comments " Server traffic to EXP"
next
edit 16
set input-device " LAN_Aggr"
set src 192.168.120.0 255.255.255.0
set gateway 24.123.126.33
set output-device " port3"
set comments " Send IT PCs to TWC"
next
edit 17
set input-device " LAN_Aggr"
set src 192.168.130.0 255.255.255.0
set gateway 24.123.126.33
set output-device " port3"
set comments " Send DEV PCs to TWC"
next
end
config firewall policy
edit 44
set srcintf " LAN_Aggr"
set dstintf " port6"
set srcaddr " LAN_HQ"
set dstaddr " STM"
set action accept
set schedule " always"
set service " ALL_ICMP" " RDP"
set logtraffic all
next
end
STM is an Address object of type Subnet 10.1.10.0/24
The PBR abbreviation took me a minute, I was totally thinking of Pabst Blue Ribbon Beer. I think I' m working too much.
----------------(--
Jeff
----------------(-- Jeff
Created on 05-08-2014 06:04 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Staring at this again, do I need a PBR to get the traffic back from Port6 to LAN_Aggr?
----------------(--
Jeff
----------------(-- Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry about my use of the PBR abbr. But now I see you issues
Qs;
Is LAN_Aggr a direct connected interface & local to the foritigate firewall
Can you give us a view of your route tables
get router info routing-table connected
and
get router info routing-table all
and
get router info policy
And yes I don' t think you need PBR in this case. if you remove the pbr policies what happens and what does your diag debug flow show?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADFG16 # get router info routing-table connected
C 10.1.1.0/24 is directly connected, VisitorWIFI
C 10.1.10.0/24 is directly connected, port6
C 10.10.1.0/24 is directly connected, port5
C 10.20.30.0/24 is directly connected, EmployeeDevices
C XXX.XXX.XXX.32/27 is directly connected, port3
C 172.16.0.0/24 is directly connected, Aethernet
C 172.16.10.0/24 is directly connected, AppleTV
C 192.168.0.0/22 is directly connected, LAN_Aggr
is directly connected, LAN_Aggr
C 192.168.89.0/24 is directly connected, port9
C 192.168.100.0/24 is directly connected, port2
C XXX.XXX.XXX.96/28 is directly connected, port1
ADFG16 #
ADFG16 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via XXX.XXX.XXX.97, port1
[10/0] via XXX.XXX.XXX.33, port3, [30/0]
C 10.1.1.0/24 is directly connected, VisitorWIFI
C 10.1.10.0/24 is directly connected, port6
C 10.10.1.0/24 is directly connected, port5
C 10.20.30.0/24 is directly connected, EmployeeDevices
C XXX.XXX.XXX.32/27 is directly connected, port3
C 172.16.0.0/24 is directly connected, Aethernet
C 172.16.10.0/24 is directly connected, AppleTV
C 192.168.0.0/22 is directly connected, LAN_Aggr
is directly connected, LAN_Aggr
C 192.168.89.0/24 is directly connected, port9
C 192.168.100.0/24 is directly connected, port2
S 192.168.120.0/24 [10/0] via 192.168.0.20, LAN_Aggr
S 192.168.130.0/24 [10/0] via 192.168.0.20, LAN_Aggr
S 192.168.200.0/24 [10/0] via 192.168.3.1, LAN_Aggr
C XXX.XXX.XXX.96/28 is directly connected, port1
ADFG16 #
ADFG16 # get router info policy
command parse error before ' policy'
Command fail. Return code -61
I removed the PBR and tried to access one of the servers via RDP:
ADFG16 #
ADFG16 # diag debug enable
ADFG16 # diag debug flow show console enable
show trace messages on console
ADFG16 # diag debug flow filter add 10.1.10.106
ADFG16 # diag debug flow start 100
ADFG16 # diag debug flow trace start 100
ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=668 msg=" allocate a new session-017a5d5d"
id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10"
id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1"
id=13 trace_id=668 msg=" use addr/intf hash, len=9"
id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556"
id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT"
id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
id=13 trace_id=669 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=669 msg=" Find an existing session, id-017a5d5d, original direction"
id=13 trace_id=669 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
id=13 trace_id=670 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=670 msg=" Find an existing session, id-017a5d5d, original direction"
id=13 trace_id=670 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
I just noticed the traffic to XXX.XXX.XXX.105. That would be the IP of Port 1 and the upstream router is .97
----------------(--
Jeff
----------------(-- Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What?
You don' t need PBR in this case. What' s the address of the client 192.168.0.241? and is going to a host on port 6?
if yes;
Then you don' t need PBR , you don' t need SNAT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.0.241 is my PC on the LAN_AGGR network (192.168.0.0/255.255.252.0) The SNAT is coming from Policy #9, which is the policy that allows my PC Internet access. When I go out to the Internet, I am NATed as the address of PORT1. That is why I put in the PBR because I thought my PC didn' t know how to reach 10.1.10.106. I can ping 10.1.10.1 with or without the PBR.
----------------(--
Jeff
----------------(-- Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don' t known why you think you need pbr , but what I would do is strike the policy-router statement.
A recreate a firewall policy that Actually allow traffic from " LAN_Aggr " to " Port6" no nat.
e.g ( this looks good )
edit 44
set srcintf " LAN_Aggr"
set dstintf " port6"
set srcaddr " LAN_HQ"
set dstaddr " STM" <---- is the correct destination host
set action accept
set schedule " always"
set service " ALL_ICMP" " RDP"
set logtraffic all
next
end
For the pbr policy #23 I would remove that policy;
config router policy
delete 23
Like i mention b4, I question your use of PBR. I don' t see how you think you need it. The Policy that allows traffic from your inside to outside and SNAT has nothing or should have nothing todo with traffic to port6.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I only added the policy route after I determined that when I tried to access the 10.1.10.0 network on Port 6 from the LAN_Aggr (192.168.0.0) my traffic was being routed out the primary WAN connection (port1)
Before PBR:
ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=668 msg=" allocate a new session-017a5d5d"
id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10"
id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1"
id=13 trace_id=668 msg=" use addr/intf hash, len=9"
id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556"
id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT"
id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
After PBR:
id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=473 msg=" allocate a new session-01692af5"
id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=473 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=474 msg=" allocate a new session-01692b61"
id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=474 msg=" iprope_in_check() check failed, drop"
----------------(--
Jeff
----------------(-- Jeff
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Issues with FortiClient EMS on macOS 93 Views
- SSL vpn to vlan implicit deny 172 Views
- .gov.uk site wont work but .co.uk... 127 Views
- Prevent randomization of source port 174 Views
- FortAP and EAP-TLS Authentication, failing at... 154 Views
Labels
-
FortiGate
8,349 -
FortiClient
1,688 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
533 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
394 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
Fortivoice
50 -
FortiEDR
50 -
FortiADC
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1633 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.