Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
youssefabdalla
New Contributor II

device behind SNAT IPSEC SITE To SIte overlap subnet works but internet traffic is dropped

Hi I have a IP address 10.4.0.31  which requires to SNAT to 10.20.30.132 to remote site which works fine with VIP and PBR to remote site.

but now traffic to internet is dropped , i think there is a conflict between SNAT and NAT on Wan port , so hope someone could help in that

 

id=20085 trace_id=1807 func=print_pkt_detail line=5845 msg="vd-INTERNET:0 received a packet(proto=1, 10.4.0.31:1->23.44.48.163:2048) tun_id=0.0.0.0 from VLAN2000. type=8, code=0, id=1, seq=307."
id=20085 trace_id=1807 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-6b27d8fc, original direction"
id=20085 trace_id=1807 func=npu_handle_session44 line=1183 msg="Trying to offloading session from VLAN2000 to port8, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x04000000"
id=20085 trace_id=1807 func=ip_session_install_npu_session line=346 msg="npu session installation succeeded"
id=20085 trace_id=1807 func=fw_forward_dirty_handler line=410 msg="state=00010200, state2=00000000, npu_state=04000400"
id=20085 trace_id=1807 func=__ip_session_run_tuple line=3471 msg="SNAT 10.4.0.31->10.20.30.132:1"
id=20085 trace_id=1808 func=print_pkt_detail line=5845 msg="vd-INTERNET:0 received a packet(proto=6, 10.4.0.31:3389->192.168.20.1:54372) tun_id=0.0.0.0 from VLAN2000. flag [.], seq 1969280561, ack 1247270663, win 63
224"
id=20085 trace_id=1808 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-6b19bff8, reply direction"
id=20085 trace_id=1808 func=__ip_session_run_tuple line=3484 msg="DNAT 192.168.20.1:54372->172.16.99.3:54372"
id=20085 trace_id=1808 func=npu_nturbo_unset_flags line=261 msg="ses->npu_state=0x41108 skb->npu_flag=0x400"
id=20085 trace_id=1808 func=npu_nturbo_unset_flags line=261 msg="ses->npu_state=0x41108 skb->npu_flag=0x400"
id=20085 trace_id=1808 func=npu_handle_session44 line=1183 msg="Trying to offloading session from VLAN2000 to ssl.INTERNET, skb.npu_flag=00000400 ses.state=01000204 ses.npu_state=0x00041108"
id=20085 trace_id=1808 func=fw_forward_dirty_handler line=410 msg="state=01000204, state2=00000001, npu_state=00041108"
id=20085 trace_id=1809 func=print_pkt_detail line=5845 msg="vd-INTERNET:0 received a packet(proto=17, 10.4.0.31:3389->192.168.20.1:63178) tun_id=0.0.0.0 from VLAN2000. "
id=20085 trace_id=1809 func=resolve_ip_tuple_fast line=5931 msg="Find an existing session, id-6b19c456, reply direction"

 

 

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello Youssef,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
youssefabdalla
New Contributor II

problem solved after changing the SNAT VIP rule  to only VPN interface instead of any

Anthony_E
Community Manager
Community Manager

Hello Youssef!

 

Thank you for letting us know!

Anthony-Fortinet Community Team.
Top Kudoed Authors