Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HernanAraujo
New Contributor

Problem with policies and ICMP.

Good day, afternoon or evenings, depending on the case, we would like you to support us with the following problem that we are having, recently we just updated the firmware of our Fortigate 200D from version 5.2.11 to 5.6.3, but for some reason that we do not know, the policies have not been applied correctly, since the L2L connections with some localities are not responding PING, that happens only with some localities not with all, we would like to know if there is any command for CLI that could validate the health of the policies in relationship to a protocol and a network in particular, in this case ICMP, since those same localities that do not respond to PING, are operational and working normally through other protocols, since we can access them via HTTP or RDP without problems ... !!!!   Best regards...!!!
5 REPLIES 5
ede_pfau
Esteemed Contributor III

hi,   and welcome to the forums. I need more information about these policies. What do you mean with "L2L" connection - an IPsec VPN, L2TP, ...? Or do you use VIPs? Please post one representative policy (in text form, from CLI "conf firewall policy", edit <n>, show).

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
HernanAraujo

Hi.-   Thanks, ok, it's a VPN Ipsec, i made a diagnose sniffer packet over one of the networks (i share here) what i have the issue, maybe you can see something that my expertise won't permit me see.          
Connected
 
Evenpro_1 $ diagnose sniffer packet any "host 172.20.30.1"
interfaces=[any]
filters=[host 172.20.30.1]
54.284160 172.20.5.176.35697 -> 172.20.30.1.161: udp 57
58.288376 172.20.5.176.35697 -> 172.20.30.1.161: udp 57
88.128023 172.20.5.176 -> 172.20.30.1: icmp: echo request
89.128383 172.20.5.176 -> 172.20.30.1: icmp: echo request
90.128553 172.20.5.176 -> 172.20.30.1: icmp: echo request
146.539845 172.20.5.176.38701 -> 172.20.30.1.161: udp 54
150.544142 172.20.5.176.38701 -> 172.20.30.1.161: udp 54
181.735838 172.20.5.184 -> 172.20.30.1: icmp: echo request
211.085592 172.20.5.176 -> 172.20.30.1: icmp: echo request
212.086005 172.20.5.176 -> 172.20.30.1: icmp: echo request
213.086172 172.20.5.176 -> 172.20.30.1: icmp: echo request
238.666728 172.20.5.176.45814 -> 172.20.30.1.161: udp 56
242.670830 172.20.5.176.45814 -> 172.20.30.1.161: udp 56
243.354677 172.20.5.184 -> 172.20.30.1: icmp: echo request
330.796173 172.20.5.176.35502 -> 172.20.30.1.161: udp 56
333.942596 172.20.5.176 -> 172.20.30.1: icmp: echo request
334.797247 172.20.5.176.35502 -> 172.20.30.1.161: udp 56
334.942801 172.20.5.176 -> 172.20.30.1: icmp: echo request
335.943152 172.20.5.176 -> 172.20.30.1: icmp: echo request
423.286442 172.20.5.176.55479 -> 172.20.30.1.161: udp 56
427.290585 172.20.5.176.55479 -> 172.20.30.1.161: udp 56
457.547137 172.20.5.176 -> 172.20.30.1: icmp: echo request
458.547563 172.20.5.176 -> 172.20.30.1: icmp: echo request
459.547699 172.20.5.176 -> 172.20.30.1: icmp: echo request
481.114562 172.20.5.184 -> 172.20.30.1: icmp: echo request
515.397068 172.20.5.176.49510 -> 172.20.30.1.161: udp 56
519.401241 172.20.5.176.49510 -> 172.20.30.1.161: udp 56
541.539585 172.20.5.184 -> 172.20.30.1: icmp: echo request
580.926670 172.20.5.176 -> 172.20.30.1: icmp: echo request
581.926883 172.20.5.176 -> 172.20.30.1: icmp: echo request
582.927465 172.20.5.176 -> 172.20.30.1: icmp: echo request
607.518152 172.20.5.176.59883 -> 172.20.30.1.161: udp 56
611.522320 172.20.5.176.59883 -> 172.20.30.1.161: udp 56
699.697444 172.20.5.176.40193 -> 172.20.30.1.161: udp 54
703.701535 172.20.5.176.40193 -> 172.20.30.1.161: udp 54
704.265951 172.20.5.176 -> 172.20.30.1: icmp: echo request
705.266277 172.20.5.176 -> 172.20.30.1: icmp: echo request
706.268833 172.20.5.176 -> 172.20.30.1: icmp: echo request
781.135739 172.20.5.184 -> 172.20.30.1: icmp: echo request
791.815900 172.20.5.176.56173 -> 172.20.30.1.161: udp 56
795.820098 172.20.5.176.56173 -> 172.20.30.1.161: udp 56
827.611664 172.20.5.176 -> 172.20.30.1: icmp: echo request
828.611810 172.20.5.176 -> 172.20.30.1: icmp: echo request
829.612288 172.20.5.176 -> 172.20.30.1: icmp: echo request
 
45 packets received by filter
0 packets dropped by kernel
 
Evenpro_1 $
ede_pfau
Esteemed Contributor III

The sniffer output doesn't help. Try and apply a 'diag debug flow' session, once to pinging and one time to some other traffic. Are you sure the remote host will respond to ping (local firewall)? And there is no VIP involved somewhere?

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
HernanAraujo

ede_pfau wrote:
The sniffer output doesn't help. Try and apply a 'diag debug flow' session, once to pinging and one time to some other traffic. Are you sure the remote host will respond to ping (local firewall)? And there is no VIP involved somewhere?

Ok, here your request.-

The entire remote network doesn't respond each other, internally, a remote host it does ping to his firewall successfully, but does not respond any host to outside, i can see that there a problem whit policy 0, i think than is the policy deny all, but i don't know why that policy is intervening in this case, and sorry me for my lack of knowledge, but i dont know what do you mean whit a VIP involved in any place.? Again, thanks for all of your help.

 

Connected
 
Evenpro_1 $ diagnose debug disable 
 
Evenpro_1 $ diagnose debug flow trace stop
 
Evenpro_1 $ diagnose debug flow filter clear 
 
Evenpro_1 $ diagnose debug reset 
 
Evenpro_1 $ diagnose debug flow filter addr 172.20.30.1
 
Evenpro_1 $ diagnose debug flow filter proto 1
 
Evenpro_1 $ diagnose debug flow show function-name enable 
show function name
 
Evenpro_1 $ diagnose debug console timestamp enable 
 
Evenpro_1 $ diagnose debug flow trace start 50
 
Evenpro_1 $ diagnose debug enable 
 
Evenpro_1 $ 
Evenpro_1 $ 2018-02-26 14:19:31 id=20085 trace_id=14 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30379->172.20.30.1:2048) from port1. type=8, code=0, id=30379, seq=18."
2018-02-26 14:19:31 id=20085 trace_id=14 func=init_ip_session_common line=5390 msg="allocate a new session-0276de25"
2018-02-26 14:19:31 id=20085 trace_id=14 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:19:31 id=20085 trace_id=14 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:19:32 id=20085 trace_id=15 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30379->172.20.30.1:2048) from port1. type=8, code=0, id=30379, seq=47."
2018-02-26 14:19:32 id=20085 trace_id=15 func=init_ip_session_common line=5390 msg="allocate a new session-0276de71"
2018-02-26 14:19:32 id=20085 trace_id=15 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:19:32 id=20085 trace_id=15 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:19:33 id=20085 trace_id=16 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30379->172.20.30.1:2048) from port1. type=8, code=0, id=30379, seq=76."
2018-02-26 14:19:33 id=20085 trace_id=16 func=init_ip_session_common line=5390 msg="allocate a new session-0276deab"
2018-02-26 14:19:33 id=20085 trace_id=16 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:19:33 id=20085 trace_id=16 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:20:23 id=20085 trace_id=17 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.184:29748->172.20.30.1:2048) from port1. type=8, code=0, id=29748, seq=1."
2018-02-26 14:20:23 id=20085 trace_id=17 func=init_ip_session_common line=5390 msg="allocate a new session-0276eb1a"
2018-02-26 14:20:23 id=20085 trace_id=17 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:20:23 id=20085 trace_id=17 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:21:22 id=20085 trace_id=18 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.184:29865->172.20.30.1:2048) from port1. type=8, code=0, id=29865, seq=1."
2018-02-26 14:21:22 id=20085 trace_id=18 func=init_ip_session_common line=5390 msg="allocate a new session-0276f975"
2018-02-26 14:21:22 id=20085 trace_id=18 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:21:22 id=20085 trace_id=18 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:21:35 id=20085 trace_id=19 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30526->172.20.30.1:2048) from port1. type=8, code=0, id=30526, seq=18."
2018-02-26 14:21:35 id=20085 trace_id=19 func=init_ip_session_common line=5390 msg="allocate a new session-0276fc96"
2018-02-26 14:21:35 id=20085 trace_id=19 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:21:35 id=20085 trace_id=19 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:21:36 id=20085 trace_id=20 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30526->172.20.30.1:2048) from port1. type=8, code=0, id=30526, seq=47."
2018-02-26 14:21:36 id=20085 trace_id=20 func=init_ip_session_common line=5390 msg="allocate a new session-0276fce0"
2018-02-26 14:21:36 id=20085 trace_id=20 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:21:36 id=20085 trace_id=20 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:21:37 id=20085 trace_id=21 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30526->172.20.30.1:2048) from port1. type=8, code=0, id=30526, seq=76."
2018-02-26 14:21:37 id=20085 trace_id=21 func=init_ip_session_common line=5390 msg="allocate a new session-0276fd17"
2018-02-26 14:21:37 id=20085 trace_id=21 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:21:37 id=20085 trace_id=21 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:23:38 id=20085 trace_id=22 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30671->172.20.30.1:2048) from port1. type=8, code=0, id=30671, seq=16."
2018-02-26 14:23:38 id=20085 trace_id=22 func=init_ip_session_common line=5390 msg="allocate a new session-027719f6"
2018-02-26 14:23:38 id=20085 trace_id=22 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:23:38 id=20085 trace_id=22 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:23:39 id=20085 trace_id=23 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30671->172.20.30.1:2048) from port1. type=8, code=0, id=30671, seq=45."
2018-02-26 14:23:39 id=20085 trace_id=23 func=init_ip_session_common line=5390 msg="allocate a new session-02771a34"
2018-02-26 14:23:39 id=20085 trace_id=23 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:23:39 id=20085 trace_id=23 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:23:40 id=20085 trace_id=24 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.176:30671->172.20.30.1:2048) from port1. type=8, code=0, id=30671, seq=74."
2018-02-26 14:23:40 id=20085 trace_id=24 func=init_ip_session_common line=5390 msg="allocate a new session-02771a83"
2018-02-26 14:23:40 id=20085 trace_id=24 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:23:40 id=20085 trace_id=24 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
2018-02-26 14:25:23 id=20085 trace_id=25 func=print_pkt_detail line=5231 msg="vd-root received a packet(proto=1, 172.20.5.184:30464->172.20.30.1:2048) from port1. type=8, code=0, id=30464, seq=1."
2018-02-26 14:25:23 id=20085 trace_id=25 func=init_ip_session_common line=5390 msg="allocate a new session-02773369"
2018-02-26 14:25:23 id=20085 trace_id=25 func=vf_ip4_route_input line=1598 msg="find a route: flags=00000000 gw-172.20.30.1 via VPN_OFC-SBC_02"
2018-02-26 14:25:23 id=20085 trace_id=25 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"

 

rwpatterson
Valued Contributor III

HernanAraujo wrote:
Good day, afternoon or evenings, depending on the case, we would like you to support us with the following problem that we are having, recently we just updated the firmware of our Fortigate 200D from version 5.2.11 to 5.6.3, but for some reason that we do not know, the policies have not been applied correctly, since the L2L connections with some localities are not responding PING, that happens only with some localities not with all, we would like to know if there is any command for CLI that could validate the health of the policies in relationship to a protocol and a network in particular, in this case ICMP, since those same localities that do not respond to PING, are operational and working normally through other protocols, since we can access them via HTTP or RDP without problems ... !!!!   Best regards...!!!
Did you follow the correct upgrade path, or did you simply jump to the latest version?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Labels
Top Kudoed Authors