no hop recieve

hbuenafe81 · ‎10-31-2023

Hi,

Can someone help me on this? my server reach gw, traceroute result not showing any hops.. Policy is open to all

note: Server (10.3.131.150) is directly connected to FW with int ip 10.3.131.1

PS C:\Users\Administrator> ping 10.2.203.10

Pinging 10.2.203.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.2.203.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PS C:\Users\Administrator> tracert 10.2.203.10

Tracing route to 10.2.203.10 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.

----firewall---

fwmalaz # execute ping-options source 10.3.131.1

fwmalaz # execute ping 10.2.203.10
PING 10.2.203.10 (10.2.203.10): 56 data bytes
64 bytes from 10.2.203.10: icmp_seq=0 ttl=255 time=0.3 ms
64 bytes from 10.2.203.10: icmp_seq=1 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=2 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=3 ttl=255 time=0.1 ms
64 bytes from 10.2.203.10: icmp_seq=4 ttl=255 time=0.1 ms

--- 10.2.203.10 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.3 ms

TBogs

syordanov · ‎10-31-2023

Hello hbuenafe81,

Please run a sniffer on your FW to see if the traffic is received on FW or on the correct interface :

# diagnose sniffer packet any "host 10.3.131.150 and icmp" 4

You can check the routing table on your server is the traffic is going to the correct next hop (this is applicable if your server has more than 1 network cards/interfaces).

To check the routing table on your server :

netstat -rn

Best regards,

Fortinet

.

hbuenafe81 · ‎10-31-2023

Hi syordanov,

as per result below, yes the firewall receive the request. but no respond going back to server. the weird thing is that the firewall gateway is able to reach the 10.2.203.10 without problem.

--server--
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.3.131.1 10.3.131.150 2
10.2.203.10 255.255.255.255 10.3.131.1 10.3.131.150 2
10.3.131.0 255.255.255.0 On-link 10.3.131.150 257
10.3.131.150 255.255.255.255 On-link 10.3.131.150 257
10.3.131.255 255.255.255.255 On-link 10.3.131.150 257
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.3.131.150 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.3.131.150 257
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.3.131.1 1

---firewall---
fwmalaz # diagnose sniffer packet any "host 10.3.131.150 and icmp" 4
interfaces=[any]
filters=[host 10.3.131.150 and icmp]
12.018473 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
16.676443 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
21.676647 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
26.679357 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
39.859271 port4 in 10.3.131.150 -> 10.2.202.10: icmp: echo request

TBogs

syordanov · ‎10-31-2023

Hello,

Please run debug flow to see why the traffic is not forwarded to the correct interface L

diagnose debug reset

diagnose debug flow filter saddr 10.3.131.150

diagnose debug flow filter daddr 10.2.203.10

diag debug flow show function-name enable

diag debug flow show iprope enable

diagnose debug console timestamp enable

diagnose debug flow trace start 9999

diagnose debug enable

Best regards,

Fortinet

.

hbuenafe81 · ‎10-31-2023

Hi,

this is what i got, in regards to policy i allowed the source 10.3.131.150 - dst = all

2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000e policy-4294967295, ret-matched, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check line=2291 msg="gnum-10000e check result: ret-matched, act-drop, flag-00000000, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000000, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check line=2272 msg="gnum-10000f, check-3f028b24"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
2023-10-31 16:28:20 id=20085 trace_id=8 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000800, flag2-00000000"
2023-10-31 16:28:20 id=20085 trace_id=8 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
7.238025 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request

TBogs

hbuenafe81 · ‎10-31-2023

2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-no-match, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2027 msg="checked gnum-10000f policy-4294967295, ret-matched, act-accept"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check_one_policy line=2243 msg="policy-4294967295 is matched, act-drop"
2023-10-31 16:23:29 id=20085 trace_id=1 func=__iprope_check line=2291 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000800, flag2-00000 000"
2023-10-31 16:23:29 id=20085 trace_id=1 func=iprope_policy_group_check line=4753 msg="after check: ret-matched, act-drop, flag-00000800, flag2-0000000 0"
2023-10-31 16:23:29 id=20085 trace_id=1 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
11.639245 port4 in 10.3.131.150 -> 10.2.203.10: icmp: echo request
2023-10-31 16:23:34 id=20085 trace_id=2 func=print_pkt_detail line=5871 msg="vd-root:0 received a packet(proto=1, 10.3.131.150:1->10.2.203.10:2048) tu n_id=0.0.0.0 from port4. type=8, code=0, id=1, seq=868."
2023-10-31 16:23:34 id=20085 trace_id=2 func=init_ip_session_common line=6043 msg="allocate a new session-000a70b2, tun_id=0.0.0.0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_dnat_check line=5337 msg="in-[port4], out-[]"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_dnat_tree_check line=827 msg="len=0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_dnat_check line=5350 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-000000 00"
2023-10-31 16:23:34 id=20085 trace_id=2 func=vf_ip_route_input_common line=2612 msg="find a route: flag=80000000 gw-10.2.203.10 via root"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_access_proxy_check line=439 msg="in-[port4], out-[], skb_flags-02000000, vid-0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=__iprope_check line=2272 msg="gnum-100017, check-3f028b24"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-0000 0000"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_in_check line=472 msg="in-[port4], out-[], skb_flags-02000000, vid-0"
2023-10-31 16:23:34 id=20085 trace_id=2 func=__iprope_check line=2272 msg="gnum-100011, check-3f029d2c"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-000000 00"
2023-10-31 16:23:34 id=20085 trace_id=2 func=__iprope_check line=2272 msg="gnum-100001, check-3f028b24"
2023-10-31 16:23:34 id=20085 trace_id=2 func=iprope_policy_group_check line=4753 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-0000 0000"

TBogs

syordanov · ‎10-31-2023

Hello,

Check the routing on your FW for the source and destination :

# get router info routing-table details 10.3.131.150

# get router info routing-table details 10.2.203.10

Best regards,

Fortinet

.

hbuenafe81 · ‎10-31-2023

Hi Syordanov,

i think you right here the route are not going to port 1 instead it goes to port 3, wan1 & wan2 as shown below, i remove the ip on this post for security purposes.

note: i have static route on this 10.2.203.10 pointing to port 1. Any idea how can i force this to route this to 10.2.203.10 please.

fwmalaz # get router info routing-table details 10.3.131.150

Routing table for VRF=0
Routing entry for 10.3.131.0/24
Known via "connected", distance 0, metric 0, best
* is directly connected, port4

fwmalaz # get router info routing-table details 10.2.203.10

Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 3, metric 0
*******, via port3

Routing entry for 0.0.0.0/0
Known via "static", distance 4, metric 0
********, via wan2

Routing entry for 0.0.0.0/0
Known via "static", distance 2, metric 0, best
* ******, via wan1

TBogs

hbuenafe81 · ‎10-31-2023

fwmalaz # get router info routing-table details 10.2.203.10

Routing table for VRF=0
Routing entry for 10.2.203.10/32
Known via "static", distance 1, metric 0, best
* 10.50.1.1, via port1

TBogs

syordanov · ‎10-31-2023

Hello ,

According to provided output, you have one static route for 10.2.203.10/32 via port1, in this case please check the FW rules between port4 and port1.

Best regards,

Fortinet

.