- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- ONE DNAT NOT WORKING , ALTHOUGHT OTHER DNAT IS WOR...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ONE DNAT NOT WORKING , ALTHOUGHT OTHER DNAT IS WORKING ON FORTIGATE
- ONE DEFAULT ROUTE FOR INTERNET WORKING ...
- 2 POLICY BASED ROUTES FOR EACH VM , ONE FOR FORWARD ONR FOR BACKWARD ...
- 1 POLICY FOR LAN TO WAN FOR INTERNET
- 2 POLICIES FOR EACH VM , ONE FOR FORWARD AND SECOND FOR BACKWARD
- VIP IS USED FOR EACH VM
- ONE SERVER IS SIP SERVER , WHICH IS WORKING FINE , INGOING AND OUTGOING
- ONE SERVER IS WEB SERVER , WHICH IS NOT ACCESSIBLE VIA VIP
WHAT COULD BE THE REASONS ? I CAN GIVE MORE DETAIL IF ASK
Labels:
- Labels:
-
FortiGate
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @faizneer,
We need to run debug flow to see how the traffic flow. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Below is an example of debug flow filter:
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr 172.16.102.20 <<< Source IP address
di deb flow filter port 23 <<< Port number if applicable. If not, remove this line.
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
Created on 11-30-2023 08:15 AM Edited on 11-30-2023 08:16 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition to the debug log above @hbac asked, please share the non-working VIP config in CLI under "config firewall vip". My guess is VIP itself is working to reach the VM but the returning traffic has different source IP or something like that.
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @hbac HERE IS A DEBUG FLOW
| ######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240 | |||||||||||||||
| ######## | allocate a new session-001f1695, tun_id=0.0.0.0 | |||||||||||||||
| ######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
| ######## | len=1 | |||||||||||||||
| ######## | checking gnum-100000 policy-3 | |||||||||||||||
| ######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
| ######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
| ######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
| ######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
| ######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
| ######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
| ######## | reverse path check fail, drop | |||||||||||||||
| ######## | trace | |||||||||||||||
| 158 | ||||||||||||||||
| ######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240 | |||||||||||||||
| ######## | allocate a new session-001f1696, tun_id=0.0.0.0 | |||||||||||||||
| ######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
| ######## | len=1 | |||||||||||||||
| ######## | checking gnum-100000 policy-3 | |||||||||||||||
| ######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
| ######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
| ######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
| ######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
| ######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
| ######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
| ######## | reverse path check fail, drop | |||||||||||||||
| ######## | trace | |||||||||||||||
| 159 | ||||||||||||||||
| ######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39640->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1052054648, ack 0, win 64240 | |||||||||||||||
| ######## | allocate a new session-001f1698, tun_id=0.0.0.0 | |||||||||||||||
| ######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
| ######## | len=1 | |||||||||||||||
| ######## | checking gnum-100000 policy-3 | |||||||||||||||
| ######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
| ######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
| ######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
| ######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
| ######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
| ######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
| ######## | reverse path check fail, drop | |||||||||||||||
| ######## | trace | |||||||||||||||
| 160 | ||||||||||||||||
| ######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240 | |||||||||||||||
| ######## | allocate a new session-001f1699, tun_id=0.0.0.0 | |||||||||||||||
| ######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
| ######## | len=1 | |||||||||||||||
| ######## | checking gnum-100000 policy-3 | |||||||||||||||
| ######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
| ######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
| ######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
| ######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
| ######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
| ######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
| ######## | reverse path check fail, drop | |||||||||||||||
| ######## | trace | |||||||||||||||
| 161 | ||||||||||||||||
| ######## | vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240 | |||||||||||||||
| ######## | allocate a new session-001f169a, tun_id=0.0.0.0 | |||||||||||||||
| ######## | in-[SOLUTIONS-2068], out-[] | |||||||||||||||
| ######## | len=1 | |||||||||||||||
| ######## | checking gnum-100000 policy-3 | |||||||||||||||
| ######## | find DNAT: IP-192.168.160.34, port-0(fixed port) | |||||||||||||||
| ######## | matched policy-3, act=accept, vip=3, flag=104, sflag=2000000 | |||||||||||||||
| ######## | result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104 | |||||||||||||||
| ######## | VIP-192.168.160.34:443, outdev-SOLUTIONS-2068 | |||||||||||||||
| ######## | DNAT 116.0.59.170:443->192.168.160.34:443 | |||||||||||||||
| ######## | Match policy routing id=9: to 192.168.160.34 via ifindex-44 | |||||||||||||||
| ######## | reverse path check fail, drop | |||||||||||||||
| ######## | trace |
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @hbac here is a debug flow
157
11/29/2023 17:18 vd-root:0 received a packet(proto=6, 154.198.114.234:39623->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 3452781678, ack 0, win 64240
11/29/2023 17:18 allocate a new session-001f1695, tun_id=0.0.0.0
11/29/2023 17:18 in-[SOLUTIONS-2068], out-[]
11/29/2023 17:18 len=1
11/29/2023 17:18 checking gnum-100000 policy-3
11/29/2023 17:18 find DNAT: IP-192.168.160.34, port-0(fixed port)
11/29/2023 17:18 matched policy-3, act=accept, vip=3, flag=104, sflag=2000000
11/29/2023 17:18 result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104
11/29/2023 17:18 VIP-192.168.160.34:443, outdev-SOLUTIONS-2068
11/29/2023 17:18 DNAT 116.0.59.170:443->192.168.160.34:443
11/29/2023 17:18 Match policy routing id=9: to 192.168.160.34 via ifindex-44
11/29/2023 17:18 reverse path check fail, drop
11/29/2023 17:18 trace
158
11/29/2023 17:18 vd-root:0 received a packet(proto=6, 154.198.114.234:39639->116.0.59.170:443) tun_id=0.0.0.0 from SOLUTIONS-2068. flag [S], seq 1712411968, ack 0, win 64240
11/29/2023 17:18 allocate a new session-001f1696, tun_id=0.0.0.0
11/29/2023 17:18 in-[SOLUTIONS-2068], out-[]
11/29/2023 17:18 len=1
11/29/2023 17:18 checking gnum-100000 policy-3
11/29/2023 17:18 find DNAT: IP-192.168.160.34, port-0(fixed port)
11/29/2023 17:18 matched policy-3, act=accept, vip=3, flag=104, sflag=2000000
11/29/2023 17:18 result: skb_flags-02000000, vid-3, ret-matched, act-accept, flag-00000104
11/29/2023 17:18 VIP-192.168.160.34:443, outdev-SOLUTIONS-2068
11/29/2023 17:18 DNAT 116.0.59.170:443->192.168.160.34:443
11/29/2023 17:18 Match policy routing id=9: to 192.168.160.34 via ifindex-44
11/29/2023 17:18 reverse path check fail, drop
11/29/2023 17:18 trace
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This web access is coming to 116.0.59.170, which is not in those three vlan interfaces you listed toward the router. Your policy route for the 192.168.160.34 server is likely routing toward one of those three interfaces, and that's why it ends up with "reverse path check fail, drop".
Toshi
Created on 11-30-2023 11:22 AM Edited on 11-30-2023 11:22 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or, maybe this IP 116.0.59.170 is routed through one of those three vlans to reach the FGT, then your policy route for the 192.168.160.34 server's internet is pointing to a different vlan interface. Then the "reverse path" is different and dropped.
This is more likely the case.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @Toshi_Esumi Previously i disabled voip inspection on fortigate
to allow voice traffic smoothly , is there any relation b/w to reach web server through dnat ?? means this not causing the issue ??
commands used to disable inspection mentioned below:
config system settings
set sip-nat-trace disable
set default-voip-alg-mode kernel-helper-based
end
config voip profile
edit default
config sip
set rtp disable
end
end
config system session-helper
delete 12
Thanks ,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shouldn't be. Web access generally don't use SIP port (5060 by default).
Toshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic is coming from 154.198.114.234 via SOLUTIONS-2068 interface and got dropped due to reverse path check fail, drop. That means you don't have a route back to 154.198.114.234 via SOLUTIONS-2068.
Please check your route by running 'get router info routing-table detail 154.198.114.234'.
Regards,
Related Posts
- Help.. Fortigate setup in GCloud not... 105 Views
- Lost admin password fortigate 81F 106 Views
- IPSEC VPN stopped working under Windows... 169 Views
- Fortigate: Captive Portal not working on... 178 Views
- How to route ougoing FG traffic... 132 Views
Labels
-
FortiGate
6,815 -
FortiClient
1,352 -
5.2
801 -
5.4
639 -
FortiManager
585 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
352 -
FortiSwitch
348 -
FortiClient EMS
276 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
164 -
6.4
128 -
FortiNAC
114 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
90 -
IPsec
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.