Hi I have a IP address 10.4.0.31 which requires to SNAT to 10.20.30.132 to remote site which works fine with VIP and PBR to remote site.
but now traffic to internet is dropped , i think there is a conflict between SNAT and NAT on Wan port , so hope someone could help in that
id=20085 trace_id=1807 func=print_pkt_detail line=5845 msg="vd-INTERNET:0 received a packet(proto=1, 10.4.0.31:1->23.44.48.163:2048) tun_id=0.0.0.0 from VLAN2000. type=8, code=0, id=1, seq=307."
id=20085 trace_id=1807 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-6b27d8fc, original direction"
id=20085 trace_id=1807 func=npu_handle_session44 line=1183 msg="Trying to offloading session from VLAN2000 to port8, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x04000000"
id=20085 trace_id=1807 func=ip_session_install_npu_session line=346 msg="npu session installation succeeded"
id=20085 trace_id=1807 func=fw_forward_dirty_handler line=410 msg="state=00010200, state2=00000000, npu_state=04000400"
id=20085 trace_id=1807 func=__ip_session_run_tuple line=3471 msg="SNAT 10.4.0.31->10.20.30.132:1"
id=20085 trace_id=1808 func=print_pkt_detail line=5845 msg="vd-INTERNET:0 received a packet(proto=6, 10.4.0.31:3389->192.168.20.1:54372) tun_id=0.0.0.0 from VLAN2000. flag [.], seq 1969280561, ack 1247270663, win 63
224"
id=20085 trace_id=1808 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-6b19bff8, reply direction"
id=20085 trace_id=1808 func=__ip_session_run_tuple line=3484 msg="DNAT 192.168.20.1:54372->172.16.99.3:54372"
id=20085 trace_id=1808 func=npu_nturbo_unset_flags line=261 msg="ses->npu_state=0x41108 skb->npu_flag=0x400"
id=20085 trace_id=1808 func=npu_nturbo_unset_flags line=261 msg="ses->npu_state=0x41108 skb->npu_flag=0x400"
id=20085 trace_id=1808 func=npu_handle_session44 line=1183 msg="Trying to offloading session from VLAN2000 to ssl.INTERNET, skb.npu_flag=00000400 ses.state=01000204 ses.npu_state=0x00041108"
id=20085 trace_id=1808 func=fw_forward_dirty_handler line=410 msg="state=01000204, state2=00000001, npu_state=00041108"
id=20085 trace_id=1809 func=print_pkt_detail line=5845 msg="vd-INTERNET:0 received a packet(proto=17, 10.4.0.31:3389->192.168.20.1:63178) tun_id=0.0.0.0 from VLAN2000. "
id=20085 trace_id=1809 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-6b19c456, reply direction"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Youssef,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
problem solved after changing the SNAT VIP rule to only VPN interface instead of any
Hello Youssef!
Thank you for letting us know!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.