Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FrankCQI
New Contributor

Created on ‎06-25-2014 10:31 AM

iprope_in_check failed, drop

Hi, we have a fortigate 60D. I have an access point who must report to a wireless controller on another subnet going through the fortigate. Route are OK as other devices can route traffic just fine between the 2 subnet. It seems the broadcast from the access point to discover the wireless controller are blocked... Here is the result of the debug trace : id=13 trace_id=200 msg=" vd-root received a packet(proto=17, 172.25.18.206:38212->255.255.255.255:38212) from internal." id=13 trace_id=200 msg=" allocate a new session-00000663" id=13 trace_id=200 msg=" iprope_in_check() check failed, drop" Why is it blocked? How Can I allow that traffic? Both subnet are reachable via the " internal" interface of the fortigate.
Frank
Frank
13634
0 Kudos
20 REPLIES 20
FrankCQI
New Contributor

Created on ‎06-26-2014 05:11 AM

My controller and access point are not Fortinet product, they are HP MSM products. I don' t think your solution would work. I already ran the " set broadcast-forward enable" command, and traffic is still blocked. Any other idea?
Frank
Frank
2405
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎06-26-2014 07:27 AM

DHCP options are part of the protocol standard (RFC) meaning they are vendor independent. I' d give it a try.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2405
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎06-26-2014 07:40 AM

Looking at one of the HP MSM controller manuals, those APs can locate the controller through UDP broadcast (local subnet only), DHCP, or DNS. You may want to try one of the alternate methods (page 188 through 193 of linked pdf above).

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
74 KB
2405
0 Kudos
FrankCQI
New Contributor

Created on ‎06-26-2014 07:46 AM

We already have entry in the DNS to have the AP find the controller on a different subnet.
Frank
Frank
2405
0 Kudos
FrankCQI
New Contributor

Created on ‎06-26-2014 10:39 AM

I added the " set option1 138 ' HEXADRESS' " in the dhcp config of my fortigate, still no luck....
Frank
Frank
2405
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎06-26-2014 11:13 AM

I added the " set option1 138 ' HEXADRESS' " in the dhcp config of my fortigate, still no luck....
As far I am aware, the HP MSM controllers do not follow the capwap standard. That PDF manual I linked to earlier indicates something about setting up a Colubris vendor class identifier and/or Colubris-specific options (43) (see page 646 to 655). I never played around with vendor classes, but on the fgt, you need to configure them on CLI (under config system dhcp server section).

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
2405
0 Kudos
FrankCQI
New Contributor

Created on ‎06-26-2014 11:19 AM

Yes I did set it up under CLI, after reviewing your post I change it to options 43... Still no luck!
Frank
Frank
2405
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎06-26-2014 11:55 AM

I am thinking the AP is expecting something more than just the hex value of the controller' s IP address. You may have to enter the value for option 43 as... 01 08 " 4-byte hex value of controller IP address" x 2. (see pic). edit: don' t know if hex 0A is needed or not or if the fgt will pass the length of the option string itself. Personally, if you only have a handful of APs or less, I may consider a short-term solution and just manually program the controller' s IP address into each AP; later if there is time try getting the DHCP option working.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Preview file
137 KB
2405
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎06-26-2014 12:14 PM

You might have a better solution. If you have an existing dhcp server for the WifiAP or if the wlan-controller is the dhcp ( even better ) than why don' t you enable dhcp-relay on the interface that attaches to the HP AP and relay the dhcp-discover to the dhcp-server? I do and recommend this when I work with phone-gear and want a central dhcp management. It would also avoid having to figure out the dhcp-server options and hex conversion, blah blah blah..... It will only require 2 cmds on the fortigate btw config t edit " your interface name" set dhcp-relay-service enable set dhcp-relay-ip x.x.x.x <-----your existing AP dhcp server end and then defining a scope on the dhcp-server for this network build your policy for the AP ,etc......

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2405
0 Kudos
Dave_Hall
Honored Contributor

Created on ‎06-26-2014 12:43 PM

This page gives a nice tutorial on how to set up option 43 on a fgt device.

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
2405
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.