Hot!Secondary ips not communication

Author
Garroyo
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/24 00:34:32
  • Status: offline
2018/07/24 00:42:49 (permalink)
0

Secondary ips not communication

Hello Everybody
 
I have the following configuration in a interface and devices in each subtnet cannot communicate each others.
 
edit "industrial"
set vdom "root"
set ip 172.30.186.10 255.255.254.0
set allowaccess ping
set description "Industrial"
set role lan
set snmp-index 15
set secondary-IP enable
set interface "internal1"
set vlanid 4
config secondaryip
edit 1
set ip 172.30.188.10 255.255.252.0
set allowaccess ping
next
end
next

Zone configuration allows intrazone communication. Do I need to create also an specific rule allowing traffice in this zone?

Best regards

Gonzalo
#1

2 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1170
    • Scores: 66
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Secondary ips not communication 2018/07/24 09:02:24 (permalink)
    0
    So you created vlan 4 on internal1 physical interface and set a secondary IP (both are vlan 4 tagged). You must have typed "set type vlan" as well. And then put the vlan interface "industrial" in a zone?
    The secondary IP is on the same interface with the primary IP on the same broadcast domain. FGT wouldn't be able to block any traffic between them. Most likely something else is going on on the lan segment. I would hook up a laptop on the switch that is handling the vlan and set a mirror port and run wireshark to find out what's going on.
    #2
    Garroyo
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/07/24 00:34:32
    • Status: offline
    Re: Secondary ips not communication 2018/10/11 04:30:52 (permalink)
    0
    Hello
     
    What I found using a debug is the traffic is denied by the explicit rule "deny all"
    2018-10-11 13:02:30 id=20085 trace_id=13 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 192.168.100.10:1->192.168.200.10:2048) from internal1. type=8, code=0, id=1, seq=422."
    2018-10-11 13:02:30 id=20085 trace_id=13 func=init_ip_session_common line=5454 msg="allocate a new session-000180cb"
    2018-10-11 13:02:30 id=20085 trace_id=13 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-192.168.200.10 via internal1"
    2018-10-11 13:02:30 id=20085 trace_id=13 func=fw_forward_handler line=584 msg="Denied by forward policy check (policy 0)"
    2018-10-11 13:02:35 id=20085 trace_id=14 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 192.168.100.10:1->192.168.200.10:2048) from internal1. type=8, code=0, id=1, seq=423."
     
    Creating a firewall policy allowing traffic in the zone, works
    config firewall policy
    edit 200
    set name "Internal_to_internal"
    set uuid a012cc6a-cd45-51e8-7ac7-15defcee38df
    set srcintf "trust"
    set dstintf "trust"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    next
    end
     

    VPN-FGT-GONZALO-TEST # 2018-10-11 13:07:57 id=20085 trace_id=17 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 192.168.100.10:1->192.168.200.10:2048) from internal1. type=8, code=0, id=1, seq=429."
    2018-10-11 13:07:57 id=20085 trace_id=17 func=init_ip_session_common line=5454 msg="allocate a new session-000183c9"
    2018-10-11 13:07:57 id=20085 trace_id=17 func=vf_ip4_route_input line=1599 msg="find a route: flags=00000000 gw-192.168.200.10 via internal1"
    2018-10-11 13:07:57 id=20085 trace_id=17 func=fw_forward_handler line=737 msg="Allowed by Policy-200:"
    2018-10-11 13:08:00 id=20085 trace_id=18 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 192.168.100.10:1->192.168.200.10:2048) from internal1. type=8, code=0, id=1, seq=430."
    2018-10-11 13:08:00 id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-000183c9, original direction"
    2018-10-11 13:08:00 id=20085 trace_id=18 func=npu_handle_session44 line=917 msg="Trying to offloading session from internal1 to internal1, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
    2018-10-11 13:08:03 id=20085 trace_id=19 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 192.168.100.10:1->192.168.200.10:2048) from internal1. type=8, code=0, id=1, seq=431."
    2018-10-11 13:08:03 id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-000183c9, original direction"
    2018-10-11 13:08:03 id=20085 trace_id=19 func=npu_handle_session44 line=917 msg="Trying to offloading session from internal1 to internal1, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
    2018-10-11 13:08:06 id=20085 trace_id=20 func=print_pkt_detail line=5295 msg="vd-root received a packet(proto=1, 192.168.100.10:1->192.168.200.10:2048) from internal1. type=8, code=0, id=1, seq=432."
    2018-10-11 13:08:06 id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5370 msg="Find an existing session, id-000183c9, original direction"
    2018-10-11 13:08:06 id=20085 trace_id=20 func=npu_handle_session44 line=917 msg="Trying to offloading session from internal1 to internal1, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x00000000"
     
    This is the best option? or is any other solution?
     
    Gonzalo
    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5