pre_route_auth check fail(id=0) vip loadbalancer issue only in one firewall (HA setup)
I have 2 firewalls A & B on High-availability active-passive, On firewall A: WAN1 is the internet facing interface On firewall B: WAN2 is the internet facing interface WAN1 & WAN2 are in a zone WAN
I have mutliple public ips and I am using one let's say 126.96.36.199 I set multiple vip loadbalancer over 2 servers 192.168.50.1, 192.168.50.2 - 2 public 188.8.131.52 (http/https) using WAN interface - 1 private with ipaddress 192.168.55.55 used in vpn ipsec tunnel with gateway address 184.108.40.206,
The issue is when I am on firewall A everything works as expected, when I switch to firewall B, traffic to load balancer stop working, and when I did debug the issue I got pre_route_auth check fail(id=0), drop.
Can someone help me?
Have a nice day.
Some configs # wan https load balancer config firewall vip edit "HTTPS_LOAD_BALANCER_A" set uuid ea1eb11c-14f4-51ef-aa57-d27495e4cc85 set type server-load-balance set extip 220.127.116.11 set extintf "any" set server-type https set http-ip-header enable set monitor "HC_PING" set color 17 set extport 443 config realservers edit 1 set ip 192.168.50.2 set port 443 next edit 2 set ip 192.168.50.1 set port 443 next set ssl-mode full set ssl-certificate "cert_2023" next end # vpn facing load balancer config firewall vip edit "VPN_PROD_LOADBALANCER" set type server-load-balance set extip 192.168.55.55 set extintf "any" set server-type https set color 8 set persistence ssl-session-id set extport 443 config realservers edit 1 set ip 192.168.50.1 set port 443 next edit 2 set ip 192.168.50.2 set port 443 next end set ssl-mode full set ssl-certificate "cert_2023" next end
# vpn ingress firewall policy onfig firewall policy edit 77 set name "INGRESS CCC PROD" set srcintf "MY_VPN" set dstintf "NET-PRIVATE" set srcaddr "REMOTE_CCC_ADDRESS" set dstaddr "VPN_PROD_LOADBALANCER" set action accept set schedule "always" set service "HTTPS" "PING" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "certificate-inspection" set logtraffic all set nat enable next end
# wan ingress firewall policy config firewall policy edit 26 set name "WEB_LOAD_BALANCER" set srcintf "WAN" set dstintf "NET-PRIVATE" set srcaddr "all" set dstaddr "HTTP_LOAD_BALANCER_A" "HTTPS_LOAD_BALANCER_A" set action accept set schedule "always" set service "HTTP" "HTTPS" set utm-status enable set inspection-mode proxy set ssl-ssh-profile "certificate-inspection" set logtraffic all set fsso disable set nat enable next end
not sure about the layout generally. I follow but am not sure if that is supposed to be set up this way as HA might synchronize The routes. My first idea is that there is a routing mismatch on the second firewall while some route might be pointing to wan1 instead of wan2. Maybe not route but a session list.
One thing to clarify though. Do you get that error when failing over or is this a fresh connection after you failed over?
Debug can be interesting to see where the packet is arriving at and maybe leaving. This might help you to find something interesting (I guess your debug is from something similar):
diag debug console timestamp enable
diag debug flow filter port 443
diag debug flow filter addr <at best your client IP address>
diag debug flow show iprope enable
diag debug enable
diag debug flow trace start 20 (=20 packets)
And then connect.
You will see some output that shows a "trace_id" which indicates the packet number. Check the first few lines of the packet you will see in inbound interface, the idea of FortiGate on where to route the packet and in the last lines what the decision is.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.