Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Where does packet capture fit within Life of a Packet?

I had a strange issue escalated to me over the weekend. A site recently migrated from MPLS to IPSec, and after a week, they started experiencing a periodic outage with voice RTP.


I setup a packet capture on both the ingress and egress interfaces of both firewalls. On site A, I could see the RTP traffic entering the LAN interface and egressing an IPSec tunnel interface, but on site B, the traffic was not coming through.  


I finally adjusted the policies on Site A to allow ANY service through to Site B and it started working. After this, I drilled into the service objects on Site A and discovered one of the service objects had a port range that didn't cover all the needed ports.


What I don't understand is, why did the packet capture on the egress interface show the packets going out, when they were clearly being dropped by policy. Does anyone know?






Could you please collect the following commands on site A? 
The flow trace will confirm what happened to the packet (dropped or forwarded).


diagnose debug reset
diagnose debug disable
diagnose debug enable
diagnose debug console timestamp enable
diagnose debug flow filter clear
diagnose debug flow filter addr <IP address being dropped>
diagnose debug flow filter port <Port being dropped>
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 500
diagnose debug enable

Top Kudoed Authors