Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jeff_the_Network_Guy
New Contributor III

What am I missing here?

I am trying to access a machine that is plugged into Port 6 of my 300C (5.0.7) from a Lan Aggregate port setup. For the life of me I cannot figure out why it isn' t working. I have the policy to allow traffic from the Lann Agg to Port 6, and a policy route so the traffic know where to go. When I try to connect nothing happens and the debug flow looks like this: ADFG16 # id=13 trace_id=468 msg=" vd-root received a packet(proto=17, 10.1.10.106:138->10.1.10.255:138) from port6." id=13 trace_id=468 msg=" allocate a new session-016914b0" id=13 trace_id=468 msg=" find a route: gw-10.1.10.255 via root" id=13 trace_id=468 msg=" iprope_in_check() check failed, drop" id=13 trace_id=469 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=469 msg=" allocate a new session-01691627" id=13 trace_id=469 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=469 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=469 msg=" iprope_in_check() check failed, drop" id=13 trace_id=470 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=470 msg=" allocate a new session-016916d1" id=13 trace_id=470 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=470 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=470 msg=" iprope_in_check() check failed, drop" id=13 trace_id=471 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=471 msg=" allocate a new session-01691730" id=13 trace_id=471 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=471 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=471 msg=" iprope_in_check() check failed, drop" id=13 trace_id=472 msg=" vd-root received a packet(proto=1, 192.168.0.241:2->10.1.10.106:8) from LAN_Aggr." id=13 trace_id=472 msg=" allocate a new session-016917f6" id=13 trace_id=472 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=472 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=472 msg=" iprope_in_check() check failed, drop" id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=473 msg=" allocate a new session-01692af5" id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=473 msg=" iprope_in_check() check failed, drop" id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=474 msg=" allocate a new session-01692b61" id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=474 msg=" iprope_in_check() check failed, drop" id=13 trace_id=475 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=475 msg=" allocate a new session-01692c01" id=13 trace_id=475 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=475 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=475 msg=" iprope_in_check() check failed, drop" This is got to be something simple, but after hours of staring I' m just going cross-eyed.
----------------(-- Jeff
----------------(-- Jeff
16 REPLIES 16
emnoc
Esteemed Contributor III

Can you explain your PBR design and how/were the ip_address of 10.1.10.1 sits in this design ? Also the " http://kb.fortinet.com/kb/viewContent.do?externalId=FD31702&sliceId=1" will help understand some of the common drops, but iprope_in check is normally when trying to access something local on the firewall and is not allowed or restricted i.e ssh sslvpn etc....... How this ( error ) plays in you design, is unclear until we see your pbr and/or better yet a topology map. My hunch is your PBR is to some other interface on the 300C? But I' m 100% clear on what the LAN_aggr and port6 interfaces are doing, nor what your doing exactly with PBR or why you need it.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jeff_the_Network_Guy

The 10.1.10.0 is on Port six of the 300C. It contains three servers that connect to the Internet but not to my Production LAN (LAN_Aggr). I want to be able to RDP from the Production network to the servers though, so I can perform administrative maintenance. Before I added the PBR any attempt to reach the 10.1.10.0 network from LAN_Aggr went out the primary internet connection. I have several PBRs due to a need to use a certain Internet connection (IP) for specific sites, and the other connection for everything else. Here are the routes and the policy: config router policy edit 23 set input-device " LAN_Aggr" set src 192.168.0.0 255.255.252.0 set dst 10.1.10.0 255.255.255.0 set gateway 10.1.10.1 set output-device " port6" next edit 20 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 208.86.144.199 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " ECL via Exp" next edit 21 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 63.86.112.248 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " EStaff via Exp" next edit 22 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 67.104.186.15 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " FTP for N24 via Exp" next edit 18 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set dst 72.159.68.196 255.255.255.255 set gateway 209.221.7.97 set output-device " port1" set comments " AmEmp website via Exp" next edit 2 set input-device " LAN_Aggr" set src 192.168.1.0 255.255.255.0 set gateway 24.123.126.33 set output-device " port3" set comments " PC Traffic to TWC" next edit 3 set input-device " LAN_Aggr" set src 192.168.0.0 255.255.255.0 set gateway 209.221.7.97 set output-device " port1" set comments " Server traffic to EXP" next edit 16 set input-device " LAN_Aggr" set src 192.168.120.0 255.255.255.0 set gateway 24.123.126.33 set output-device " port3" set comments " Send IT PCs to TWC" next edit 17 set input-device " LAN_Aggr" set src 192.168.130.0 255.255.255.0 set gateway 24.123.126.33 set output-device " port3" set comments " Send DEV PCs to TWC" next end config firewall policy edit 44 set srcintf " LAN_Aggr" set dstintf " port6" set srcaddr " LAN_HQ" set dstaddr " STM" set action accept set schedule " always" set service " ALL_ICMP" " RDP" set logtraffic all next end STM is an Address object of type Subnet 10.1.10.0/24 The PBR abbreviation took me a minute, I was totally thinking of Pabst Blue Ribbon Beer. I think I' m working too much.
----------------(-- Jeff
----------------(-- Jeff
Jeff_the_Network_Guy

Staring at this again, do I need a PBR to get the traffic back from Port6 to LAN_Aggr?
----------------(-- Jeff
----------------(-- Jeff
emnoc
Esteemed Contributor III

Sorry about my use of the PBR abbr. But now I see you issues Qs; Is LAN_Aggr a direct connected interface & local to the foritigate firewall Can you give us a view of your route tables get router info routing-table connected and get router info routing-table all and get router info policy And yes I don' t think you need PBR in this case. if you remove the pbr policies what happens and what does your diag debug flow show?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jeff_the_Network_Guy

ADFG16 # get router info routing-table connected C 10.1.1.0/24 is directly connected, VisitorWIFI C 10.1.10.0/24 is directly connected, port6 C 10.10.1.0/24 is directly connected, port5 C 10.20.30.0/24 is directly connected, EmployeeDevices C XXX.XXX.XXX.32/27 is directly connected, port3 C 172.16.0.0/24 is directly connected, Aethernet C 172.16.10.0/24 is directly connected, AppleTV C 192.168.0.0/22 is directly connected, LAN_Aggr is directly connected, LAN_Aggr C 192.168.89.0/24 is directly connected, port9 C 192.168.100.0/24 is directly connected, port2 C XXX.XXX.XXX.96/28 is directly connected, port1 ADFG16 # ADFG16 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via XXX.XXX.XXX.97, port1 [10/0] via XXX.XXX.XXX.33, port3, [30/0] C 10.1.1.0/24 is directly connected, VisitorWIFI C 10.1.10.0/24 is directly connected, port6 C 10.10.1.0/24 is directly connected, port5 C 10.20.30.0/24 is directly connected, EmployeeDevices C XXX.XXX.XXX.32/27 is directly connected, port3 C 172.16.0.0/24 is directly connected, Aethernet C 172.16.10.0/24 is directly connected, AppleTV C 192.168.0.0/22 is directly connected, LAN_Aggr is directly connected, LAN_Aggr C 192.168.89.0/24 is directly connected, port9 C 192.168.100.0/24 is directly connected, port2 S 192.168.120.0/24 [10/0] via 192.168.0.20, LAN_Aggr S 192.168.130.0/24 [10/0] via 192.168.0.20, LAN_Aggr S 192.168.200.0/24 [10/0] via 192.168.3.1, LAN_Aggr C XXX.XXX.XXX.96/28 is directly connected, port1 ADFG16 # ADFG16 # get router info policy command parse error before ' policy' Command fail. Return code -61 I removed the PBR and tried to access one of the servers via RDP: ADFG16 # ADFG16 # diag debug enable ADFG16 # diag debug flow show console enable show trace messages on console ADFG16 # diag debug flow filter add 10.1.10.106 ADFG16 # diag debug flow start 100 ADFG16 # diag debug flow trace start 100 ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=668 msg=" allocate a new session-017a5d5d" id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10" id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1" id=13 trace_id=668 msg=" use addr/intf hash, len=9" id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556" id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT" id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" id=13 trace_id=669 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=669 msg=" Find an existing session, id-017a5d5d, original direction" id=13 trace_id=669 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" id=13 trace_id=670 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=670 msg=" Find an existing session, id-017a5d5d, original direction" id=13 trace_id=670 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" I just noticed the traffic to XXX.XXX.XXX.105. That would be the IP of Port 1 and the upstream router is .97
----------------(-- Jeff
----------------(-- Jeff
emnoc
Esteemed Contributor III

What? You don' t need PBR in this case. What' s the address of the client 192.168.0.241? and is going to a host on port 6? if yes; Then you don' t need PBR , you don' t need SNAT.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jeff_the_Network_Guy

192.168.0.241 is my PC on the LAN_AGGR network (192.168.0.0/255.255.252.0) The SNAT is coming from Policy #9, which is the policy that allows my PC Internet access. When I go out to the Internet, I am NATed as the address of PORT1. That is why I put in the PBR because I thought my PC didn' t know how to reach 10.1.10.106. I can ping 10.1.10.1 with or without the PBR.
----------------(-- Jeff
----------------(-- Jeff
emnoc
Esteemed Contributor III

Don' t known why you think you need pbr , but what I would do is strike the policy-router statement. A recreate a firewall policy that Actually allow traffic from " LAN_Aggr " to " Port6" no nat. e.g ( this looks good ) edit 44 set srcintf " LAN_Aggr" set dstintf " port6" set srcaddr " LAN_HQ" set dstaddr " STM" <---- is the correct destination host set action accept set schedule " always" set service " ALL_ICMP" " RDP" set logtraffic all next end For the pbr policy #23 I would remove that policy; config router policy delete 23 Like i mention b4, I question your use of PBR. I don' t see how you think you need it. The Policy that allows traffic from your inside to outside and SNAT has nothing or should have nothing todo with traffic to port6.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jeff_the_Network_Guy

I only added the policy route after I determined that when I tried to access the 10.1.10.0 network on Port 6 from the LAN_Aggr (192.168.0.0) my traffic was being routed out the primary WAN connection (port1) Before PBR: ADFG16 # id=13 trace_id=668 msg=" vd-root received a packet(proto=6, 192.168.0.241:54556->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=668 msg=" allocate a new session-017a5d5d" id=13 trace_id=668 msg=" Match policy routing: to XXX.XXX.XXX.97via ifindex-10" id=13 trace_id=668 msg=" find a route: gw-XXX.XXX.XXX.97via port1" id=13 trace_id=668 msg=" use addr/intf hash, len=9" id=13 trace_id=668 msg=" find SNAT: IP-XXX.XXX.XXX.105, port-54556" id=13 trace_id=668 msg=" Allowed by Policy-9: SNAT" id=13 trace_id=668 msg=" SNAT 192.168.0.241->XXX.XXX.XXX.105:54556" After PBR: id=13 trace_id=473 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=473 msg=" allocate a new session-01692af5" id=13 trace_id=473 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=473 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=473 msg=" iprope_in_check() check failed, drop" id=13 trace_id=474 msg=" vd-root received a packet(proto=6, 192.168.0.241:53396->10.1.10.106:3389) from LAN_Aggr." id=13 trace_id=474 msg=" allocate a new session-01692b61" id=13 trace_id=474 msg=" Match policy routing: to 10.1.10.1 via ifindex-5" id=13 trace_id=474 msg=" find a route: gw-10.1.10.1 via root" id=13 trace_id=474 msg=" iprope_in_check() check failed, drop"
----------------(-- Jeff
----------------(-- Jeff
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors