Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- What am I missing here?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What am I missing here?
I am trying to access a machine that is plugged into Port 6 of my 300C (5.0.7) from a Lan Aggregate port setup. For the life of me I cannot figure out why it isn' t working. I have the policy to allow traffic from the Lann Agg to Port 6, and a policy route so the traffic know where to go. When I try to connect nothing happens and the debug flow looks like this:
ADFG16 # id=13 trace_id=468 msg=" vd-root received a packet(proto=17, 10.1.10.106:138->10.1.10.255:138) from port6."
id=13 trace_id=468 msg=" allocate a new session-016914b0"
id=13 trace_id=468 msg=" find a route: gw-10.1.10.255 via root"
id=13 trace_id=468 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=469 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=469 msg=" allocate a new session-01691627"
id=13 trace_id=469 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=469 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=469 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=470 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=470 msg=" allocate a new session-016916d1"
id=13 trace_id=470 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=470 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=470 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=471 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=471 msg=" allocate a new session-01691730"
id=13 trace_id=471 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=471 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=471 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=472 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr."
id=13 trace_id=472 msg=" allocate a new session-016917f6"
id=13 trace_id=472 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=472 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=472 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=473 msg=" allocate a new session-01692af5"
id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=473 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=474 msg=" allocate a new session-01692b61"
id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=474 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=475 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=475 msg=" allocate a new session-01692c01"
id=13 trace_id=475 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=475 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=475 msg=" iprope_in_check() check failed, drop"
This is got to be something simple, but after hours of staring I' m just going cross-eyed.
----------------(--
Jeff
----------------(-- Jeff
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you explain your PBR design and how/were the ip_address of 10.1.10.1 sits in this design ?
Also the " http://kb.fortinet.com/kb/viewContent.do?externalId=FD31702&sliceId=1" will help understand some of the common drops, but iprope_in check is normally when trying to access something local on the firewall and is not allowed or restricted
i.e
ssh
sslvpn
etc.......
How this ( error ) plays in you design, is unclear until we see your pbr and/or better yet a topology map.
My hunch is your PBR is to some other interface on the 300C? But I' m 100% clear on what the LAN_aggr and port6 interfaces are doing, nor what your doing exactly with PBR or why you need it.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The 10.1.10.0 is on Port six of the 300C. It contains three servers that connect to the Internet but not to my Production LAN (LAN_Aggr). I want to be able to RDP from the Production network to the servers though, so I can perform administrative maintenance. Before I added the PBR any attempt to reach the 10.1.10.0 network from LAN_Aggr went out the primary internet connection. I have several PBRs due to a need to use a certain Internet connection (IP) for specific sites, and the other connection for everything else. Here are the routes and the policy:
config router policy
edit 23
set input-device " LAN_Aggr"
set src 192.168.0.0 255.255.252.0
set dst 10.1.10.0 255.255.255.0
set gateway 10.1.10.1
set output-device " port6"
next
edit 20
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 208.86.144.199 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " ECL via Exp"
next
edit 21
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 63.86.112.248 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " EStaff via Exp"
next
edit 22
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 67.104.186.15 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " FTP for N24 via Exp"
next
edit 18
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set dst 72.159.68.196 255.255.255.255
set gateway 209.221.7.97
set output-device " port1"
set comments " AmEmp website via Exp"
next
edit 2
set input-device " LAN_Aggr"
set src 192.168.1.0 255.255.255.0
set gateway 24.123.126.33
set output-device " port3"
set comments " PC Traffic to TWC"
next
edit 3
set input-device " LAN_Aggr"
set src 192.168.0.0 255.255.255.0
set gateway 209.221.7.97
set output-device " port1"
set comments " Server traffic to EXP"
next
edit 16
set input-device " LAN_Aggr"
set src 192.168.120.0 255.255.255.0
set gateway 24.123.126.33
set output-device " port3"
set comments " Send IT PCs to TWC"
next
edit 17
set input-device " LAN_Aggr"
set src 192.168.130.0 255.255.255.0
set gateway 24.123.126.33
set output-device " port3"
set comments " Send DEV PCs to TWC"
next
end
config firewall policy
edit 44
set srcintf " LAN_Aggr"
set dstintf " port6"
set srcaddr " LAN_HQ"
set dstaddr " STM"
set action accept
set schedule " always"
set service " ALL_ICMP" " RDP"
set logtraffic all
next
end
STM is an Address object of type Subnet 10.1.10.0/24
The PBR abbreviation took me a minute, I was totally thinking of Pabst Blue Ribbon Beer. I think I' m working too much.
----------------(--
Jeff
----------------(-- Jeff
Created on ‎05-08-2014 06:04 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Staring at this again, do I need a PBR to get the traffic back from Port6 to LAN_Aggr?
----------------(--
Jeff
----------------(-- Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry about my use of the PBR abbr. But now I see you issues
Qs;
Is LAN_Aggr a direct connected interface & local to the foritigate firewall
Can you give us a view of your route tables
get router info routing-table connected
and
get router info routing-table all
and
get router info policy
And yes I don' t think you need PBR in this case. if you remove the pbr policies what happens and what does your diag debug flow show?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ADFG16 # get router info routing-table connected
C 10.1.1.0/24 is directly connected, VisitorWIFI
C 10.1.10.0/24 is directly connected, port6
C 10.10.1.0/24 is directly connected, port5
C 10.20.30.0/24 is directly connected, EmployeeDevices
C XXX.XXX.XXX.32/27 is directly connected, port3
C 172.16.0.0/24 is directly connected, Aethernet
C 172.16.10.0/24 is directly connected, AppleTV
C 192.168.0.0/22 is directly connected, LAN_Aggr
is directly connected, LAN_Aggr
C 192.168.89.0/24 is directly connected, port9
C 192.168.100.0/24 is directly connected, port2
C XXX.XXX.XXX.96/28 is directly connected, port1
ADFG16 #
ADFG16 # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via XXX.XXX.XXX.97, port1
[10/0] via XXX.XXX.XXX.33, port3, [30/0]
C 10.1.1.0/24 is directly connected, VisitorWIFI
C 10.1.10.0/24 is directly connected, port6
C 10.10.1.0/24 is directly connected, port5
C 10.20.30.0/24 is directly connected, EmployeeDevices
C XXX.XXX.XXX.32/27 is directly connected, port3
C 172.16.0.0/24 is directly connected, Aethernet
C 172.16.10.0/24 is directly connected, AppleTV
C 192.168.0.0/22 is directly connected, LAN_Aggr
is directly connected, LAN_Aggr
C 192.168.89.0/24 is directly connected, port9
C 192.168.100.0/24 is directly connected, port2
S 192.168.120.0/24 [10/0] via 192.168.0.20, LAN_Aggr
S 192.168.130.0/24 [10/0] via 192.168.0.20, LAN_Aggr
S 192.168.200.0/24 [10/0] via 192.168.3.1, LAN_Aggr
C XXX.XXX.XXX.96/28 is directly connected, port1
ADFG16 #
ADFG16 # get router info policy
command parse error before ' policy'
Command fail. Return code -61
I removed the PBR and tried to access one of the servers via RDP:
ADFG16 #
ADFG16 # diag debug enable
ADFG16 # diag debug flow show console enable
show trace messages on console
ADFG16 # diag debug flow filter add 10.1.10.106
ADFG16 # diag debug flow start 100
ADFG16 # diag debug flow trace start 100
ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=668 msg=" allocate a new session-017a5d5d"
id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10"
id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1"
id=13 trace_id=668 msg=" use addr/intf hash, len=9"
id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556"
id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT"
id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
id=13 trace_id=669 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=669 msg=" Find an existing session, id-017a5d5d, original direction"
id=13 trace_id=669 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
id=13 trace_id=670 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=670 msg=" Find an existing session, id-017a5d5d, original direction"
id=13 trace_id=670 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
I just noticed the traffic to XXX.XXX.XXX.105. That would be the IP of Port 1 and the upstream router is .97
----------------(--
Jeff
----------------(-- Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What?
You don' t need PBR in this case. What' s the address of the client 192.168.0.241? and is going to a host on port 6?
if yes;
Then you don' t need PBR , you don' t need SNAT.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.0.241 is my PC on the LAN_AGGR network (192.168.0.0/255.255.252.0) The SNAT is coming from Policy #9, which is the policy that allows my PC Internet access. When I go out to the Internet, I am NATed as the address of PORT1. That is why I put in the PBR because I thought my PC didn' t know how to reach 10.1.10.106. I can ping 10.1.10.1 with or without the PBR.
----------------(--
Jeff
----------------(-- Jeff
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don' t known why you think you need pbr , but what I would do is strike the policy-router statement.
A recreate a firewall policy that Actually allow traffic from " LAN_Aggr " to " Port6" no nat.
e.g ( this looks good )
edit 44
set srcintf " LAN_Aggr"
set dstintf " port6"
set srcaddr " LAN_HQ"
set dstaddr " STM" <---- is the correct destination host
set action accept
set schedule " always"
set service " ALL_ICMP" " RDP"
set logtraffic all
next
end
For the pbr policy #23 I would remove that policy;
config router policy
delete 23
Like i mention b4, I question your use of PBR. I don' t see how you think you need it. The Policy that allows traffic from your inside to outside and SNAT has nothing or should have nothing todo with traffic to port6.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I only added the policy route after I determined that when I tried to access the 10.1.10.0 network on Port 6 from the LAN_Aggr (192.168.0.0) my traffic was being routed out the primary WAN connection (port1)
Before PBR:
ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=668 msg=" allocate a new session-017a5d5d"
id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10"
id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1"
id=13 trace_id=668 msg=" use addr/intf hash, len=9"
id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556"
id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT"
id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556"
After PBR:
id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=473 msg=" allocate a new session-01692af5"
id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=473 msg=" iprope_in_check() check failed, drop"
id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr."
id=13 trace_id=474 msg=" allocate a new session-01692b61"
id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5"
id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root"
id=13 trace_id=474 msg=" iprope_in_check() check failed, drop"
----------------(--
Jeff
----------------(-- Jeff
Labels
-
FortiGate
10,808 -
FortiClient
2,214 -
FortiManager
906 -
FortiAnalyzer
691 -
5.2
687 -
5.4
638 -
FortiSwitch
598 -
FortiClient EMS
585 -
FortiAP
569 -
IPsec
446 -
6.0
416 -
SSL-VPN
394 -
FortiMail
380 -
5.6
362 -
FortiNAC
299 -
FortiWeb
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
208 -
FortiAuthenticator
186 -
FortiGuard
161 -
5.0
152 -
Firewall policy
150 -
FortiGate-VM
141 -
6.4
128 -
FortiCloud Products
120 -
FortiToken
115 -
FortiSIEM
113 -
FortiGateCloud
112 -
Wireless Controller
96 -
High Availability
94 -
Customer Service
88 -
ZTNA
80 -
FortiProxy
79 -
Routing
79 -
SAML
78 -
BGP
74 -
Fortivoice
73 -
DNS
73 -
VLAN
73 -
FortiEDR
71 -
Authentication
71 -
FortiADC
69 -
Certificate
69 -
LDAP
65 -
RADIUS
63 -
FortiLink
59 -
SSO
57 -
NAT
57 -
FortiSandbox
55 -
FortiExtender
52 -
Interface
50 -
VDOM
50 -
4.0MR3
49 -
Application control
48 -
Virtual IP
45 -
FortiDNS
43 -
Logging
43 -
SSL SSH inspection
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
37 -
Web profile
36 -
FortiConnect
35 -
Automation
35 -
FortiWAN
31 -
FortiConverter
31 -
API
30 -
FortiGate v5.2
28 -
Fortigate Cloud
27 -
Traffic shaping
26 -
Static route
26 -
SNMP
25 -
SSID
25 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
System settings
22 -
WAN optimization
22 -
FortiMonitor
21 -
OSPF
21 -
Security profile
19 -
Web application firewall profile
19 -
Web rating
19 -
IP address management - IPAM
19 -
FortiSOAR
18 -
FortiAP profile
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
Explicit proxy
16 -
Admin
15 -
IPS signature
15 -
Proxy policy
15 -
Intrusion prevention
15 -
FortiManager v4.0
14 -
FortiCASB
14 -
NAC policy
14 -
DNS filter
13 -
Users
13 -
FortiManager v5.0
12 -
FortiDeceptor
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiBridge
11 -
FortiRecorder
11 -
Trunk
11 -
Authentication rule and scheme
11 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
Traffic shaping profile
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
Application signature
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiNDR
6 -
DoS policy
6 -
FortiCarrier
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
Email filter profile
5 -
Protocol option
5 -
TACACS
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiAI
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiEdge Cloud
3 -
FortiInsight
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
Lacework
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2727 | |
| 1417 | |
| 810 | |
| 738 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.