unknown cause of traffic block

peter12181987 · ‎05-07-2013

hi, I trying to reach a VLAN from another and it show me a cause that iÂ´ve seen before. The message is " iprope_in_check() check failed, drop" the weird part is that it juts with one particulary host of the remote VLAN, with other host of the same VLAN the traffic pass without problems. The problem is not cause by policy rule because as i said befor the traffic pass with others host. Regards.

emnoc · ‎05-07-2013

How can you honesty make that claim, that it' s not a fwpolicy? Have you done any dianostic ( flow , sniffer,etc,....) That message probably has some bearing to a fwpolicy, and with regards to nat or lack of routing. You best bet would be diag debug flow , yes that' s your friend. Run it and find what fwpolicy if any that' s matching, filter on your host addr ( src or dst ) and port.

PCNSE

NSE

StrongSwan

peter12181987 · ‎05-07-2013

Hi, emnoc, iÂ´m sure that is not by a polycy rule. This is the output of the debug FG200B3911603678 # id=36871 trace_id=11 msg=" vd-root received a packet(proto=1, 172.27.252.8:45->172.27.253.22:8) from port15." id=36871 trace_id=11 msg=" allocate a new session-485e47f7" id=36871 trace_id=11 msg=" iprope_in_check() check failed, drop" id=36871 trace_id=12 msg=" vd-root received a packet(proto=1, 172.27.252.8:45->172.27.253.22:8) from port15." id=36871 trace_id=12 msg=" allocate a new session-485e486c" id=36871 trace_id=12 msg=" iprope_in_check() check failed, drop"

emnoc · ‎05-07-2013

iprope_in_check() check failed, drop

I' ll leave you with this; http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD31702&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=49035521&stateId=0%200%2049033657 I' ll bet you have a fwpolicy problem or interface allowances. fwiw: " Deny forward " are almost always fwpolicy or lack of policy, that' s not the case here but..... You need to go back and review your fwpolicies for the src/dst ip_addresses in question and any thing tied to it. If the src/dst are you interfaces ip_address, check your ip allowaccess configs for those interfaces.If not, proceed on, and match the traffic to the fwpolicy of the unit. Remember traffic hitting a interface ip_address is not controlled by fwpolicies but traffic that transverses interface(s) , must have a fwpolicy. Qs that might lead to the correction; This looks like icmp is that correct? are any of those address on a VIP ? on a firewall vlan? or if not, do you have nat enable and maybe you don' t need it enabled? It' s really that simple

PCNSE

NSE

StrongSwan

peter12181987 · ‎05-12-2013

hi, I have check my policies and there is only one that permit this traffic, no other denied it. Besides the policy is applied with destination netword, not for host. I get responds of other host with no proble,. Anyone know other possible reason that can cause this bevavior.

Omar_Hermannsson · ‎05-13-2013

Sounds like you might have VIP that uses that IP address. Even if if there is no firewall policy using the VIP, it would still cause such behavior. I would search through a config backup for any mention of that IP address or that subnet just to be sure.