Hi,
Can someone help me on this? my server reach gw, traceroute result not showing any hops.. Policy is open to all
note: Server (10.3.131.150) is directly connected to FW with int ip 10.3.131.1
PS C:\Users\Administrator> ping 10.2.203.10
Pinging 10.2.203.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.2.203.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PS C:\Users\Administrator> tracert 10.2.203.10
Tracing route to 10.2.203.10 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
----firewall---
fwmalaz # execute ping-options source 10.3.131.1
fwmalaz # execute ping 10.2.203.10
PING 10.2.203.10 (10.2.203.10): 56 data bytes
64 bytes from 10.2.203.10: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.2.203.10: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=4 ttl=255 time=0.1 ms
--- 10.2.203.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello hbuenafe81,
Please run a sniffer on your FW to see if the traffic is received on FW or on the correct interface :
# diagnose sniffer packet any "host 10.3.131.150 and icmp" 4
You can check the routing table on your server is the traffic is going to the correct next hop (this is applicable if your server has more than 1 network cards/interfaces).
To check the routing table on your server :
netstat -rn
Best regards,
Fortinet
Created on 10-31-2023 06:01 AM Edited on 10-31-2023 06:02 AM
Hi syordanov,
as per result below, yes the firewall receive the request. but no respond going back to server. the weird thing is that the firewall gateway is able to reach the 10.2.203.10 without problem.
--server--
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.3.131.1 10.3.131.150 2
10.2.203.10 255.255.255.255 10.3.131.1 10.3.131.150 2
10.3.131.0 255.255.255.0 On-link 10.3.131.150 257
10.3.131.150 255.255.255.255 On-link 10.3.131.150 257
10.3.131.255 255.255.255.255 On-link 10.3.131.150 257
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.3.131.150 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.3.131.150 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.3.131.1 1
---firewall---
fwmalaz # diagnose sniffer packet any "host 10.3.131.150 and icmp" 4
interfaces=[any]
filters=[host 10.3.131.150 and icmp]
12.018473 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
16.676443 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
21.676647 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
26.679357 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
39.859271 port4 in 10.3.131.150 -> 10.2.202.10: icmp: echo request
Hello,
Please run debug flow to see why the traffic is not forwarded to the correct interface L
diagnose debug reset
diagnose debug flow filter saddr 10.3.131.150
diagnose debug flow filter daddr 10.2.203.10
diag debug flow show function-name enable
diag debug flow show iprope enable
diagnose debug console timestamp enable
diagnose debug flow trace start 9999
diagnose debug enable
Best regards,
Fortinet
Hi,
this is what i got, in regards to policy i allowed the source 10.3.131.150 - dst = all
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check line=2291 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check line=2272 msg="gnum-10000f, check-3f028b24"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
7.238025 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000 000"
2023-10-31 16:23:29 id=20085 trace_id=1 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000800, flag2-0000000 0"
2023-10-31 16:23:29 id=20085 trace_id=1 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
11.639245 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
2023-10-31 16:23:34 id=20085 trace_id=2 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.3.131.150:1->10.2.203.10:2048) tu n_id=0.0.0.0 from port4. type=8, code=0, id=1, seq=868."
2023-10-31 16:23:34 id=20085 trace_id=2 func=init_ip_session_common line=6043 msg="allocate a new session-000a70b2, tun_id=0.0.0.0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_dnat_check line=5337 msg="in-[port4], out-[]"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_dnat_tree_check line=827 msg="len=0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-000000 00"
2023-10-31 16:23:34 id=20085 trace_id=2 func=vf_ip_route_input_common line=2612 msg="find a route: flag=80000000 gw-10.2.203.10 via root"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_access_proxy_check line=439 msg="in-[port4], out-[], skb_flags-02000000, vid-0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=__iprope_check line=2272 msg="gnum-100017, check-3f028b24"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-0000 0000"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_in_check line=472 msg="in-[port4], out-[], skb_flags-02000000, vid-0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=__iprope_check line=2272 msg="gnum-100011, check-3f029d2c"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-000000 00"
2023-10-31 16:23:34 id=20085 trace_id=2 func=__iprope_check line=2272 msg="gnum-100001, check-3f028b24"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-0000 0000"
Hello,
Check the routing on your FW for the source and destination :
# get router info routing-table details 10.3.131.150
# get router info routing-table details 10.2.203.10
Best regards,
Fortinet
Hi Syordanov,
i think you right here the route are not going to port 1 instead it goes to port 3, wan1 & wan2 as shown below, i remove the ip on this post for security purposes.
note: i have static route on this 10.2.203.10 pointing to port 1. Any idea how can i force this to route this to 10.2.203.10 please.
fwmalaz # get router info routing-table details 10.3.131.150
Routing table for VRF=0
Routing entry for 10.3.131.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4
fwmalaz # get router info routing-table details 10.2.203.10
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 3, metric 0
*******, via port3
Routing entry for 0.0.0.0/0
Known via "static", distance 4, metric 0
********, via wan2
Routing entry for 0.0.0.0/0
Known via "static", distance 2, metric 0, best
* ******, via wan1
fwmalaz # get router info routing-table details 10.2.203.10
Routing table for VRF=0
Routing entry for 10.2.203.10/32
Known via "static", distance 1, metric 0, best
* 10.50.1.1, via port1
Hello ,
According to provided output, you have one static route for 10.2.203.10/32 via port1, in this case please check the FW rules between port4 and port1.
Best regards,
Fortinet
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.