Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
aneagoe
New Contributor

server loadbalancer errors - iprope_in_check() check failed on policy 0, drop

Hello everyone,

 

I'm trying to configure a server-loadbalancer but without NAT. To put it simply, the fortigate should loadbalance requests against a VIP to real servers, but using an IP address from the same subnet. I've created the following VIP entry, intended as a k8s master loadbalancer:

 

config firewall vip
    edit "master-kp-api"
        set uuid 7d6dc7e8-ef61-51e9-2307-552476886ad3
        set type server-load-balance
        set extip 10.10.0.4
        set extintf "any"
        set server-type tcp
        set gratuitous-arp-interval 5
        set monitor "master-kp-api"
        set ldb-method least-session
        set extport 8443
        config realservers
            edit 1
                set ip 10.10.0.81
                set port 8443
            next
            edit 2
                set ip 10.10.0.82
                set port 8443
            next
            edit 3
                set ip 10.10.0.83
                set port 8443
            next
        end
    next
end

 

However, I'm getting the following errors when trying to reach the VIP:

2019-10-15 09:09:12 id=20085 trace_id=123 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50134->10.10.0.4:8443) from lan. flag , seq 2756646312, ack 0, win 26880"
2019-10-15 09:09:12 id=20085 trace_id=123 func=init_ip_session_common line=5530 msg="allocate a new session-0391c273"
2019-10-15 09:09:12 id=20085 trace_id=123 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:12 id=20085 trace_id=123 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
2019-10-15 09:09:13 id=20085 trace_id=124 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50134->10.10.0.4:8443) from lan. flag , seq 2756646312, ack 0, win 26880"
2019-10-15 09:09:13 id=20085 trace_id=124 func=init_ip_session_common line=5530 msg="allocate a new session-0391c288"
2019-10-15 09:09:13 id=20085 trace_id=124 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:13 id=20085 trace_id=124 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
2019-10-15 09:09:15 id=20085 trace_id=125 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50134->10.10.0.4:8443) from lan. flag , seq 2756646312, ack 0, win 26880"
2019-10-15 09:09:15 id=20085 trace_id=125 func=init_ip_session_common line=5530 msg="allocate a new session-0391c2a6"
2019-10-15 09:09:15 id=20085 trace_id=125 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:15 id=20085 trace_id=125 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
2019-10-15 09:09:16 id=20085 trace_id=126 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50218->10.10.0.4:8443) from lan. flag , seq 1723572199, ack 0, win 26880"
2019-10-15 09:09:16 id=20085 trace_id=126 func=init_ip_session_common line=5530 msg="allocate a new session-0391c2b7"
2019-10-15 09:09:16 id=20085 trace_id=126 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:16 id=20085 trace_id=126 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"

Any suggestions?

1 REPLY 1
aneagoe
New Contributor

I've been in contact with Fortinet support which suggested looking at this KB (Hairpin NAT): https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36202

It's basically required to have an explicit policy that uses the VIP object name under dstaddr, in my case I had to add the following:

config firewall policy

    edit 0
         set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "master-kp-api"
        set action accept
        set status enable
        set schedule "always"
        set service "ALL"
    next
end

 

Top Kudoed Authors