Hot!msg="iprope_in_check() check failed on policy 0, drop"

Author
andre.amaro
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/02/05 10:17:52
  • Status: offline
2016/10/26 07:42:21 (permalink)
0

msg="iprope_in_check() check failed on policy 0, drop"

Dear,
 
I have a FortiGate 300C recently started blocking access to work normally. My route points to the VPN an the tunnel is up. The policy is ok.
Strangely this connection stopped working and when I try to connect it does not match the policy.
 
The log I'm having is this:
id=20085 trace_id=4875 func=print_pkt_detail line=4469 msg="vd-root received a packet(proto=6, 10.10.10.10:63117->11.11.11.11:9160) from my_interface. flag [S], seq 2788299880, ack 0, win 8192"
id=20085 trace_id=4875 func=init_ip_session_common line=4620 msg="allocate a new session-7bd3977e"
id=20085 trace_id=4875 func=fw_local_in_handler line=385 msg="iprope_in_check() check failed on policy 0, drop"

 
Any idea?
#1

13 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5367
    • Scores: 351
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: online
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2016/10/26 08:32:43 (permalink)
    0
    Most like uRPF checks. Are you sure the ingress interface is correct for that route and traffic-flow?
     
    Ken
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #2
    andre.amaro
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/05 10:17:52
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2016/10/26 08:42:45 (permalink)
    0
    emnoc
    Most like uRPF checks. Are you sure the ingress interface is correct for that route and traffic-flow?
     
    Ken
     


    Yes, I'm sure. This problem started before I had made no intervention in this flow.
    #3
    andre.amaro
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/05 10:17:52
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2016/10/26 14:31:42 (permalink)
    0
    Well, I managed to get on the solution to this problem.

    I had created a virtual IP that would meet a new connectivity and it was the cause of my problems, even if not linked to any policy. That's because there was already an object using the same IP that I created. I'm not sure, but it seems I made the firewall did not understand what I wanted to do (would use the VIP or object).
     
    Anyway ... just after deleting this VIP connectivities that used VPN normalized.
    #4
    ede_pfau
    Expert Member
    • Total Posts : 6105
    • Scores: 492
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2016/10/26 22:59:39 (permalink)
    4 (1)
    Background: when you create a VIP, the FGT will proxy arp for that address - even if it's not (yet) used in a policy. It's not just a NAT rule.
    If there is no policy traffic will be denied. That's what you saw.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    andre.amaro
    New Member
    • Total Posts : 10
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/02/05 10:17:52
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2016/10/27 06:14:23 (permalink)
    0
    ede_pfau
    Background: when you create a VIP, the FGT will proxy arp for that address - even if it's not (yet) used in a policy. It's not just a NAT rule.
    If there is no policy traffic will be denied. That's what you saw.


     
    Thank you for the explanation!
    #6
    baguma
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/06/20 11:28:38
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2017/06/21 11:18:43 (permalink)
    0
    Hi 
    i have the same error .  Using an external  public VIP which isnt part of the fortigate interface IP
     
    find a routeind a route: flag=80000000 gw-196.x.x.x via root"
    id=20085 trace_id=819 func=fw_local_in_handler line=394 msg="iprope_in_check() check failed on policy 0, drop"
    id=20085 trace_id=819 func=fw_local_in_handler line=394 msg="iprope_in_check() check failed on policy 0, drop"
    #7
    jhouvenaghel_FTNT
    Bronze Member
    • Total Posts : 26
    • Scores: 6
    • Reward points: 0
    • Joined: 2007/11/30 00:26:42
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2017/06/22 03:51:08 (permalink)
    0
    "iprope_in_check() check failed on policy 0" means that the destination IP address is seen as local/belonging to the FGT and FOS will look through the iprope_in tables.
    An ippool adress belongs to the FGT if arp-reply is enabled
    If you use vip, you should look if the mapped iP address is not configured somewhere in a ippool for example
    #8
    baguma
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2017/06/20 11:28:38
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2017/06/22 10:34:16 (permalink)
    0
    Thanks for the reply . Just for clarity  below is my design
     
    client to VIP 197.x.x.147(ISP allocated IP)  port 3319  mapped to 192.168.X.13 (webserver) 3319
    Interface to internet where the client is coming 196.23.X.249/30 
    Interface to the webserver farm 192.168.x.1/24 
    by overlap , do you mean webserver subnet?
     
    #9
    Oleh
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/07/15 04:59:57
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2019/07/15 05:18:18 (permalink)
    0
    Hi
     
    I have a similar ptoblem. FG has ip 60.200.X.2 on WAN interface. It also have a route to 60.234.x.x pointed to some LAN ip through LAN interface. I can ping 60.234.x.x with a source IP of FG LAN, but can not with WAN ip as a source. I'm having the same error - iprope_in_check() check failed on policy 0, drop
     
    #10
    aldolopez
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/12/27 08:55:22
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2019/07/16 12:43:18 (permalink)
    0
    Dear Andre,
    Could you do #get router info routing-table details 10.10.10.10 from CLI?
    The policy must be interface of output routing table.
     
    Best Regards,
    Aldo López
    #11
    Jirka
    Gold Member
    • Total Posts : 130
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2019/11/13 08:49:27 (permalink)
    0
    Hello,
     
    on the customer's network something similar is happening, with the difference that it does not use VIP.
    The FGT60E has several interfaces, one of which (LAN) points to the IPsec tunnel (DR 0.0.0.0/0) at the HQ where SNAT is performed to public IP addresses - classic scenario. DHCP-Relay is also set on the LAN and point to Central server on HQ.
    The remaining LAN interfaces are SNATed to the public address of the WAN interface of FGT60E.
     
    For some reason, some LAN devices sometimes do not communicate with the Internet or have drops- 90% are Samsung TVs.
    Diag debug flow shows this:
     

     
     
     
    id=20085 trace_id=64 func=init_ip_session_common line=5654 msg="allocate a new session-08667053"
    id=20085 trace_id=64 func=vf_ip_route_input_common line=2591 msg="find a route: flag=94000000 gw-172.17.9.255 via root"
    id=20085 trace_id=64 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
    id=20085 trace_id=65 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=17, 172.17.9.127:35982->172.17.9.255:58581) from 5-CORP. "
    id=20085 trace_id=65 func=init_ip_session_common line=5654 msg="allocate a new session-08667064"
    id=20085 trace_id=65 func=vf_ip_route_input_common line=2591 msg="find a route: flag=94000000 gw-172.17.9.255 via root"
    id=20085 trace_id=65 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
    id=20085 trace_id=66 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=17, 172.17.9.127:35982->172.17.9.255:58581) from 5-CORP. "
    id=20085 trace_id=66 func=init_ip_session_common line=5654 msg="allocate a new session-0866707a"
    id=20085 trace_id=66 func=vf_ip_route_input_common line=2591 msg="find a route: flag=94000000 gw-172.17.9.255 via root"
    id=20085 trace_id=66 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
    id=20085 trace_id=67 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=17, 172.17.9.127:35982->172.17.9.255:58581) from 5-CORP. "
     
     
     

     
    where 172.17.9.127 is a one of many TV Samsung. LAN subnet is 172.17.9.0/24 and TV get a correct ip address, mask, gw, dns.
    I checked the configuration several times, I didn't find anything wrong. Once I ran the "diagnostic firewall iprope flush", it all started working:
     
    id=20085 trace_id=77 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 172.17.9.127:53162->34.195.xxx.xx:443) from 5-CORP. flag [F.], seq 3825516032, ack 1059094717, win 115"
    id=20085 trace_id=77 func=resolve_ip_tuple_fast line=5569 msg="Find an existing session, id-0866664d, original direction"
    id=20085 trace_id=77 func=npu_handle_session44 line=1107 msg="Trying to offloading session from 5-CORP to IPsecHQ, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x03000000"
    id=20085 trace_id=77 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-IPsecHQ"
    id=20085 trace_id=77 func=esp_output4 line=897 msg="IPsec encrypt/auth"
    id=20085 trace_id=77 func=ipsec_output_finish line=532 msg="send to 193.86.237.65 via intf-wan1"
    did=20085 trace_id=78 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 172.17.9.127:53162->34.195.xxx.xx:443) from 5-CORP. flag [F.], seq 3825516032, ack 1059094717, win 115"
    id=20085 trace_id=78 func=resolve_ip_tuple_fast line=5569 msg="Find an existing session, id-0866664d, original direction"
    id=20085 trace_id=78 func=npu_handle_session44 line=1107 msg="Trying to offloading session from 5-CORP to IPsecHQ, skb.npu_flag=00000000 ses.state=00010204 ses.npu_state=0x03000000"
    id=20085 trace_id=78 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-IPsecHQ"
    id=20085 trace_id=78 func=esp_output4 line=897 msg="IPsec encrypt/auth"
    id=20085 trace_id=78 func=ipsec_output_finish line=532 msg="send to 193.86.xxx.xx via intf-wan1"

     
     
    Routing table for VRF=0
    Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
           O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
           * - candidate default

    S* 0.0.0.0/0 [10/0] via 193.86.xxx.xx, wan1
                             [10/0] is directly connected, IPsecHQ [9/0]
    C 10.33.1.0/24 is directly connected, 1001-UniFiGuest
    C 10.110.19.0/24 is directly connected, internal2
    S 172.16.1.0/29 [10/0] is directly connected, IPsecHQ, [8/0]
    C 172.17.9.0/24 is directly connected, 5-CCORP
    C 172.17.109.0/24 is directly connected, 51-AAA_net
    C 172.17.209.0/24 is directly connected, internal4
    C 172.20.0.0/16 is directly connected, internal3
    S 172.27.1.0/29 [10/0] is directly connected, IPsecHQ, [8/0]
    C 192.168.1.0/24 is directly connected, internal
    C 193.86.xxx.xx/29 is directly connected, wan1

     
    I have configured PBR too, when first allow access from dedicated devices from LAN to management subnet -internal 2.
    and second routed LAN and management subnet via IPsec to HQ.
     
    config router policy
        edit 2
            set input-device "5-CORP"
            set srcaddr "CORP_lan"
            set src-negate disable
            set dstaddr "MNGMT"
            set dst-negate disable
            set action permit
            set protocol 0
            set gateway 0.0.0.0
            set output-device "internal2"
            set tos 0x00
            set tos-mask 0x00
            set status enable
            set comments ''
        next
        edit 1
            set input-device "5-CORP" "internal2"
            set srcaddr "CORP_lan" "MNGMT"
            set src-negate disable
            set dstaddr "all"
            set dst-negate disable
            set action permit
            set protocol 0
            set gateway 0.0.0.0
            set output-device "IPsecHQ"
            set tos 0x00
            set tos-mask 0x00
            set status enable
            set comments ''
        next
    end

     
    What can be the cause of such behavior and how to eliminate it?
    FortiOS 6.0.5

    Thank you.

    Jirka
     
     
    post edited by Jirka - 2019/11/13 10:18:01
    #12
    ede_pfau
    Expert Member
    • Total Posts : 6105
    • Scores: 492
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2019/11/17 04:18:22 (permalink)
    0
    In a /24 network, you cannot use x.x.x.255 as a gateway or host address. I stumbled upon the .255 and gladly you mentioned the network mask later in your post.
    .255 is the broadcast address of that subnet.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #13
    Jirka
    Gold Member
    • Total Posts : 130
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: msg="iprope_in_check() check failed on policy 0, drop" 2019/11/17 06:48:39 (permalink)
    0
    ede_pfau
    In a /24 network, you cannot use x.x.x.255 as a gateway or host address. I stumbled upon the .255 and gladly you mentioned the network mask later in your post.
    .255 is the broadcast address of that subnet.




    Ede,
    of course I don't use address 255.
    As I wrote, on the LAN interface is listening DHCP Relay agent - which I suppose will be broadcast traffic .255
    #14
    Jump to:
    © 2019 APG vNext Commercial Version 5.5