Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
peter12181987
New Contributor

unknown cause of traffic block

hi, I trying to reach a VLAN from another and it show me a cause that i´ve seen before. The message is " iprope_in_check() check failed, drop" the weird part is that it juts with one particulary host of the remote VLAN, with other host of the same VLAN the traffic pass without problems. The problem is not cause by policy rule because as i said befor the traffic pass with others host. Regards.
5 REPLIES 5
emnoc
Esteemed Contributor III

How can you honesty make that claim, that it' s not a fwpolicy? Have you done any dianostic ( flow , sniffer,etc,....) That message probably has some bearing to a fwpolicy, and with regards to nat or lack of routing. You best bet would be diag debug flow , yes that' s your friend. Run it and find what fwpolicy if any that' s matching, filter on your host addr ( src or dst ) and port.

PCNSE 

NSE 

StrongSwan  

peter12181987

Hi, emnoc, i´m sure that is not by a polycy rule. This is the output of the debug FG200B3911603678 # id=36871 trace_id=11 msg=" vd-root received a packet(proto=1, 172.27.252.8:45->172.27.253.22:8) from port15." id=36871 trace_id=11 msg=" allocate a new session-485e47f7" id=36871 trace_id=11 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=12 msg=" vd-root received a packet(proto=1, 172.27.252.8:45->172.27.253.22:8) from port15." id=36871 trace_id=12 msg=" allocate a new session-485e486c" id=36871 trace_id=12 msg=" iprope_in_check() check failed, drop"
emnoc
Esteemed Contributor III

iprope_in_check() check failed, drop
I' ll leave you with this; http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31702&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=49035521&stateId=0%200%2049033657 I' ll bet you have a fwpolicy problem or interface allowances. fwiw: " Deny forward " are almost always fwpolicy or lack of policy, that' s not the case here but..... You need to go back and review your fwpolicies for the src/dst ip_addresses in question and any thing tied to it. If the src/dst are you interfaces ip_address, check your ip allowaccess configs for those interfaces.If not, proceed on, and match the traffic to the fwpolicy of the unit. Remember traffic hitting a interface ip_address is not controlled by fwpolicies but traffic that transverses interface(s) , must have a fwpolicy. Qs that might lead to the correction; This looks like icmp is that correct? are any of those address on a VIP ? on a firewall vlan? or if not, do you have nat enable and maybe you don' t need it enabled? It' s really that simple

PCNSE 

NSE 

StrongSwan  

peter12181987

hi, I have check my policies and there is only one that permit this traffic, no other denied it. Besides the policy is applied with destination netword, not for host. I get responds of other host with no proble,. Anyone know other possible reason that can cause this bevavior.
Omar_Hermannsson
New Contributor

Sounds like you might have VIP that uses that IP address. Even if if there is no firewall policy using the VIP, it would still cause such behavior. I would search through a config backup for any mention of that IP address or that subnet just to be sure.