Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AndrLars
New Contributor

Created on ‎09-01-2017 09:37 PM

reverse path check fail drop intervdom

Hi I was wondering if anyone has seen anything like this.

We have a vdom with a intervdom link

On the inside of the vdom2 we have a VLAN interface 

 

edit "I_VLAN2171"
set vdom "VDOM2"
set ip 10.0.54.1 255.255.255.0
set allowaccess ping
set snmp-index 42
set interface "LACP_INSIDE"
set vlanid 2171

We have routing to that interface apparently since it's directly connected 

 

get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default

S* 0.0.0.0/0 [10/0] is directly connected, VInkVDOM20
C 10.0.54.0/24 is directly connected, I_VLAN2171
C 10.10.10.0/24 is directly connected, I_VLAN4000
C 185.205.51.40/31 is directly connected, VInkVDOM20
C 185.205.51.40/32 is directly connected, VInkVDOM20

 

The policy to allow traffic out is super easy 

edit 3
set uuid e7de4b72-8ef4-51e7-4882-5ac44d739ced
set srcintf "I_VLAN2171"
set dstintf "VInkVDOM20"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next

 

When I in the vdom set 

execute ping-options source 10.0.54.1 and try to ping google dns I get the following.debug trace

 

id=20085 trace_id=101 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=6, 10.0.54.1:20518->10.0.54.2:179) from local. flag [S], seq 2912141760, ack 0, win 14600"
id=20085 trace_id=101 func=init_ip_session_common line=5047 msg="allocate a new session-001445c0"
id=20085 trace_id=102 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=6, 10.0.54.1:20518->10.0.54.2:179) from local. flag [S], seq 2912141760, ack 0, win 14600"
id=20085 trace_id=102 func=resolve_ip_tuple_fast line=4967 msg="Find an existing session, id-001445c0, original direction"
id=20085 trace_id=103 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=6, 10.0.54.1:20518->10.0.54.2:179) from local. flag [S], seq 2912141760, ack 0, win 14600"
id=20085 trace_id=103 func=resolve_ip_tuple_fast line=4967 msg="Find an existing session, id-001445c0, original direction"
id=20085 trace_id=104 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=6, 10.0.54.1:20521->10.0.54.2:179) from local. flag [S], seq 2236177507, ack 0, win 14600"
id=20085 trace_id=104 func=init_ip_session_common line=5047 msg="allocate a new session-001446cb"
id=20085 trace_id=105 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=6, 10.0.54.1:20521->10.0.54.2:179) from local. flag [S], seq 2236177507, ack 0, win 14600"
id=20085 trace_id=105 func=resolve_ip_tuple_fast line=4967 msg="Find an existing session, id-001446cb, original direction"
id=20085 trace_id=106 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=6, 10.0.54.1:20521->10.0.54.2:179) from local. flag [S], seq 2236177507, ack 0, win 14600"
id=20085 trace_id=106 func=resolve_ip_tuple_fast line=4967 msg="Find an existing session, id-001446cb, original direction"
id=20085 trace_id=107 func=print_pkt_detail line=4903 msg="vd-VDOM2 received a packet(proto=1, 10.0.54.1:7936->8.8.8.8:2048) from local. type=8, code=0, id=7936, seq=0."
id=20085 trace_id=107 func=init_ip_session_common line=5047 msg="allocate a new session-001446f6"
id=20085 trace_id=108 func=print_pkt_detail line=4903 msg="vd-root received a packet(proto=1, 10.0.54.1:7936->8.8.8.8:2048) from VInkVDOM21. type=8, code=0, id=7936, seq=0."
id=20085 trace_id=108 func=init_ip_session_common line=5047 msg="allocate a new session-001446f7"
id=20085 trace_id=108 func=ip_route_input_slow line=2247 msg="reverse path check fail, drop"
id=20085 trace_id=108 func=ip_session_handle_no_dst line=5120 msg="trace"

 

This is me now knowing how to configure or a bugg ? 

Labels:
229
0 Kudos
1 REPLY 1
jwernberg
New Contributor

Created on ‎12-07-2017 11:38 PM

How is the routing setup in the Root vdom?

"vd-root received a packet(proto=1, 10.0.54.1:7936->8.8.8.8:2048) from VInkVDOM21. type=8, code=0, id=7936, seq=0."

Seems to indicate that the root doesn´t have a route to 10.0.54.0 network on VlinkVdom21 so RPF will drop the packet.

 

Regards Johan

227
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.