Destination Interface unknown-0

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Cookbook, KB

Mark Thread UnreadFlat Reading Mode ❐

Hot!Destination Interface unknown-0

Author Post Essentials Only Full Version
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline 2018/11/13 10:23:12 (permalink) 0 Destination Interface unknown-0 Hello experts, today we deployed FGT200E to part of the network. We terminated two parts of the network - vlan666 and vlan777 - both networks are WiFi and both have DHCP on FGT. DNS is Google DNS Everything works ok, only in the log we have very often a message: Deny-policy violation - dst iface unknow-0. Although it is legitimate traffic to be routed to the internet. No BGP or OSPF is used, NAT is performed on an IP pool on a public IP address. config firewall policy edit 26 set name "UINIFI Guest->WAN" set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f set srcintf "VLAN777" set dstintf "wan1" set srcaddr "UNIFI Guest" set dstaddr "all" set internet-service disable set internet-service-src disable set rtp-nat disable set learning-mode disable set action accept set status enable set schedule "always" set schedule-timeout disable set service "ALL" set dscp-match disable set utm-status enable set logtraffic all set logtraffic-start disable set auto-asic-offload enable set permit-any-host disable set permit-stun-host disable set fixedport disable set ippool enable set poolname "NAT_UniFi_GUEST" set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set timeout-send-rst disable set captive-portal-exempt disable set ssl-mirror disable set scan-botnet-connections disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set profile-type single set av-profile '' set webfilter-profile "UniFiGuest" set dnsfilter-profile '' set spamfilter-profile '' set dlp-sensor '' set ips-sensor '' set application-list "UniFiGuest" set voip-profile '' set icap-profile '' set waf-profile '' set ssh-filter-profile '' set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set traffic-shaper '' set traffic-shaper-reverse '' set per-ip-shaper '' set nat enable set match-vip disable next end # diag debug reset # diag debug enable # diag debug flow filter dport 80 # diag debug flow filter saddr 10.9.8.118 # diag debug flow trace start 100 FG200E-xxx # id=20085 trace_id=1 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=1 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=2 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=2 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=2 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=3 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=3 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=3 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=4 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=4 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=4 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=5 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=5 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=5 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=6 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=6 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=6 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=7 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=7 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=7 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=8 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=8 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=8 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=9 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=9 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=10 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=10 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=10 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=11 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=11 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=12 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=12 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=12 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=13 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [S], seq 3290449723, ack 0, win 65535" id=20085 trace_id=13 func=init_ip_session_common line=5544 msg="allocate a new session-0002041f" id=20085 trace_id=13 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=13 func=fw_forward_handler line=751 msg="Allowed by Policy-26: AV SNAT" id=20085 trace_id=13 func=ids_receive line=285 msg="send to ips" id=20085 trace_id=13 func=av_receive line=301 msg="send to application layer" id=20085 trace_id=14 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369" id=20085 trace_id=14 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=14 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008" id=20085 trace_id=14 func=ids_receive line=285 msg="send to ips" id=20085 trace_id=14 func=av_receive line=301 msg="send to application layer" id=20085 trace_id=15 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [S], seq 261364636, ack 0, win 14600" id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=15 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988" id=20085 trace_id=16 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369" id=20085 trace_id=16 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=16 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008" id=20085 trace_id=16 func=ids_receive line=285 msg="send to ips" id=20085 trace_id=16 func=av_receive line=301 msg="send to application layer" id=20085 trace_id=17 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650" id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=17 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988" id=20085 trace_id=18 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650" id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=18 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988" id=20085 trace_id=19 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364838, ack 1997785115, win 3918" id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=19 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988" id=20085 trace_id=20 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449925, ack 3398102765, win 1369" id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction" id=20085 trace_id=20 func=ids_receive line=285 msg="send to ips" id=20085 trace_id=20 func=av_receive line=301 msg="send to application layer" id=20085 trace_id=21 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=21 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=21 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=22 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=22 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=22 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=23 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=23 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=23 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=24 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=24 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=24 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=25 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=25 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=26 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=26 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=26 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=27 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=27 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=27 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=28 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=28 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=28 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=29 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=29 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=29 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=30 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=30 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=30 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=31 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=31 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=31 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=32 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=32 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=32 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=33 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369" id=20085 trace_id=33 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=33 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=34 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369" id=20085 trace_id=34 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=34 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=35 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369" id=20085 trace_id=35 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=35 func=fw_forward_dirty_handler line=335 msg="no session matched" id=20085 trace_id=36 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369" id=20085 trace_id=36 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1" id=20085 trace_id=36 func=fw_forward_dirty_handler line=335 msg="no session matched" I have read a few similar posts, but there is no definitive solution. Does anyone have any idea what else to check? In my opinion, this is a standard setup that always works. FortiOS 6.0.3 Thank you, Jirka post edited by Jirka - 2018/11/13 11:34:43 Attached Image(s) #1 Policy 19 Replies Related Threads
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/13 10:31:06 (permalink) 0 another one post edited by Jirka - 2018/11/13 10:35:33 Attached Image(s) #2
Dave Hall Expert Member Total Posts : 1337 Scores: 138 Reward points: 0 Joined: 2012/05/11 07:55:58 Location: Canada Status: offline Re: Destination Interface unknown-0 2018/11/13 12:02:51 (permalink) 0 What do you have assigned to srcaddr "UNIFI Guest"? NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C #3
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/13 12:06:48 (permalink) 0 Dave Hall What do you have assigned to srcaddr "UNIFI Guest"? Hi Dave, config firewall address edit "UNIFI Guest" set uuid 08613f64-e50f-51e8-62a8-6971ca472c8f set color 10 set subnet 10.9.8.0 255.255.254.0 next end #4
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/14 12:00:50 (permalink) 0 ok, I got information from the TAC that the problem might be in tcp-halfclose-timer. https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36429&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=53784685&stateId=1%200%2053786674 The default value is 120 seconds, so I tried to increase globally for 300 seconds. No change. What's strange is that the FGT81E in the same network with the same configuration (vlan, dhcp) behaves perfectly. Jirka #5
emnoc Expert Member Total Posts : 5108 Scores: 318 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Destination Interface unknown-0 2018/11/14 12:42:46 (permalink) 0 Could it be asymmetrical routing issues? Ken Felix PCNSE, NSE , Forcepoint , StrongSwan Specialist #6
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/14 12:54:07 (permalink) 0 Hi Ken, to asymmetric routing is no reason. Box has only one WAN line, static routing (one default route), IP addresses are allocated statically, directly linked to the our core box (ASR1001). There is no reason for such behavior. Only connections to HTTP and HTTPS are affected. Other services are normal. Jirka Attached Image(s) #7
Dave Hall Expert Member Total Posts : 1337 Scores: 138 Reward points: 0 Joined: 2012/05/11 07:55:58 Location: Canada Status: offline Re: Destination Interface unknown-0 2018/11/14 13:22:07 (permalink) 0 What is the type or size of the IP Pool? If I recall a long while back, a similar problem where the IP pool was alternating the source address at some point that it cause the source to no longer match any firewall policies. NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C #8
darwin_FTNT Bronze Member Total Posts : 39 Scores: 2 Reward points: 0 Joined: 2018/04/24 18:12:28 Status: offline Re: Destination Interface unknown-0 2018/11/14 18:45:29 (permalink) 0 It could be due to asymmetric route, session expired, or fortigate just received a single tcp packet with fin flag only (the syn packet and the rest are missing). Take note of the trace_id, it is incremented once per packet received by kernel from network card driver or local processes. The trace_id is used to track the individual packet in 'diag debug flow' as it is processed by kernel netfilter chain / tcp stack. Thus diag debug flow is useful to check if the packet is received by fortigate hw ports in the first place (aside from diag sniffer packet) before sent to other utm daemons (not familiar with npu offload code path). If there are no tcp syn/ack packets, the session will not be created. The following consecutive packets came from single IP with incremental src port to the same destination webserver. Since session is null, the packet is logged then just dropped by firewall. Can enable 'config system setting asymroute' (default is disabled). Also can send a tcp reset to the clients sending sessionless packet 'config system global reset-sessionless-tcp' (default is disabled) Can try the following log setting to disable: config log setting --> log-invalid-packet -->disable. post edited by darwin_FTNT - 2018/11/14 18:47:27 #9
emnoc Expert Member Total Posts : 5108 Scores: 318 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Destination Interface unknown-0 2018/11/14 19:27:35 (permalink) 0 Yes I agreed and I see various applications kick out additional tcp packets when the session is long dead. is it always the same address and service ports? Ken Felix PCNSE, NSE , Forcepoint , StrongSwan Specialist #10
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/14 23:59:53 (permalink) 0 emnoc Yes I agreed and I see various applications kick out additional tcp packets when the session is long dead. is it always the same address and service ports? Ken Felix Hi Ken, yes, the destination port is always 80 and 443. Dst address is changing. Attached Image(s) #11
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/15 00:22:26 (permalink) 0 Dave Hall What is the type or size of the IP Pool? If I recall a long while back, a similar problem where the IP pool was alternating the source address at some point that it cause the source to no longer match any firewall policies. Hi Dave, Pool I have configured so that every internal range / 23 or / 24 is NATed on one public IP address - see screenshot. Attached Image(s) #12
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/15 05:03:15 (permalink) 0 Now I have found one interesting thing. Once the Device (Devide detection) or User (we have FSSO connection to AD) is defined in the Source, the connection will be successful. If only the IP address is in the log, I get message: Destination Interface unknown-0 - no session matched How is it possible that FGT equire a user or device when we do not have anything like that in Policy? edit 3 set name "SOFT->WAN" set uuid c24835b2-e50b-51e8-602f-d1b030e8b18b set srcintf "VLAN10" set dstintf "wan1" set srcaddr "172.22.64.0/24" set dstaddr "all" set internet-service disable set internet-service-src disable set rtp-nat disable set learning-mode disable set action accept set status enable set schedule "always" set schedule-timeout disable set service "ALL" set dscp-match disable set utm-status enable set logtraffic all set logtraffic-start disable set auto-asic-offload enable set permit-any-host disable set permit-stun-host disable set fixedport disable set ippool enable set poolname "NAT_SOFT" set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set timeout-send-rst disable set captive-portal-exempt disable set ssl-mirror disable set scan-botnet-connections disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set profile-type single set av-profile "default" set webfilter-profile "xxxxxxx" set dnsfilter-profile '' set spamfilter-profile '' set dlp-sensor '' set ips-sensor "protect_client" set application-list "xxxxxx" set voip-profile '' set icap-profile '' set waf-profile '' set ssh-filter-profile '' set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set traffic-shaper '' set traffic-shaper-reverse '' set per-ip-shaper '' set nat enable set match-vip disable next end edit 26 set name "UNIFI Guest->WAN" set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f set srcintf "VLAN777" set dstintf "wan1" set srcaddr "UNIFI Guest" set dstaddr "all" set internet-service disable set internet-service-src disable set rtp-nat disable set learning-mode disable set action accept set status enable set schedule "always" set schedule-timeout disable set service "ALL" set dscp-match disable set utm-status enable set logtraffic all set logtraffic-start disable set auto-asic-offload enable set permit-any-host disable set permit-stun-host disable set fixedport disable set ippool enable set poolname "NAT_UniFi_GUEST" set session-ttl 0 set vlan-cos-fwd 255 set vlan-cos-rev 255 set wccp disable set fsso disable set disclaimer disable set natip 0.0.0.0 0.0.0.0 set diffserv-forward disable set diffserv-reverse disable set tcp-mss-sender 0 set tcp-mss-receiver 0 set comments '' set block-notification disable set replacemsg-override-group '' set srcaddr-negate disable set dstaddr-negate disable set service-negate disable set timeout-send-rst disable set captive-portal-exempt disable set ssl-mirror disable set scan-botnet-connections disable set dsri disable set radius-mac-auth-bypass disable set delay-tcp-npu-session disable unset vlan-filter set profile-type single set av-profile '' set webfilter-profile "UniFiGuest" set dnsfilter-profile '' set spamfilter-profile '' set dlp-sensor '' set ips-sensor "protect_client" set application-list "UniFiGuest" set voip-profile '' set icap-profile '' set waf-profile '' set ssh-filter-profile '' set profile-protocol-options "default" set ssl-ssh-profile "certificate-inspection" set traffic-shaper '' set traffic-shaper-reverse '' set per-ip-shaper '' set nat enable set match-vip disable next end Jirka Attached Image(s) #13
emnoc Expert Member Total Posts : 5108 Scores: 318 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Destination Interface unknown-0 2018/11/15 05:30:47 (permalink) 0 User Device ID detection is typical enable at the interface level. What does you full interface configuration look like? Ken Felix PCNSE, NSE , Forcepoint , StrongSwan Specialist #14
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/15 06:32:50 (permalink) 0 emnoc User Device ID detection is typical enable at the interface level. What does you full interface configuration look like? Ken Felix Here it is: config system interface edit "VLAN777" set vdom "root" set vrf 0 set mode static set dhcp-relay-service disable set ip 10.9.8.1 255.255.254.0 set allowaccess ping set fail-detect disable set pptp-client disable set arpforward enable set broadcast-forward disable set bfd global set l2forward disable set icmp-send-redirect enable set icmp-accept-redirect enable set vlanforward disable set stpforward disable set ips-sniffer-mode disable set ident-accept disable set ipmac disable set subst disable set substitute-dst-mac 00:00:00:00:00:00 set status up set netbios-forward disable set wins-ip 0.0.0.0 set type vlan set netflow-sampler disable set sflow-sampler disable set scan-botnet-connections disable set src-check enable set sample-rate 2000 set polling-interval 20 set sample-direction both set explicit-web-proxy disable set explicit-ftp-proxy disable set proxy-captive-portal disable set tcp-mss 0 set inbandwidth 0 set outbandwidth 0 set egress-shaping-profile '' set spillover-threshold 0 set ingress-spillover-threshold 0 set weight 0 set external disable set description '' set alias "UniFi Guest" set security-mode none set device-identification enable set device-user-identification enable set device-identification-active-scan enable set device-access-list '' set fortiheartbeat disable set estimated-upstream-bandwidth 0 set estimated-downstream-bandwidth 0 set vrrp-virtual-mac disable set role lan set snmp-index 27 set secondary-IP disable set preserve-session-route disable set auto-auth-extension-device disable set ap-discover enable set color 0 config ipv6 set ip6-mode static set nd-mode basic set ip6-address ::/0 unset ip6-allowaccess set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-hop-limit 0 set dhcp6-prefix-delegation disable set dhcp6-information-request disable set vrrp-virtual-mac6 disable set vrip6_link_local :: set ip6-send-adv disable set autoconf disable set dhcp6-relay-service disable end set mtu-override disable set wccp disable set drop-overlapped-fragment disable set drop-fragment disable set interface "port1" set vlanid 777 next end config system interface edit "VLAN10" set vdom "root" set vrf 0 set mode static set dhcp-relay-service disable set ip 172.22.64.254 255.255.224.0 set allowaccess ping https set fail-detect disable set pptp-client disable set arpforward enable set broadcast-forward disable set bfd global set l2forward disable set icmp-send-redirect enable set icmp-accept-redirect enable set vlanforward disable set stpforward disable set ips-sniffer-mode disable set ident-accept disable set ipmac disable set subst disable set substitute-dst-mac 00:00:00:00:00:00 set status up set netbios-forward disable set wins-ip 0.0.0.0 set type vlan set netflow-sampler disable set sflow-sampler disable set scan-botnet-connections disable set src-check enable set sample-rate 2000 set polling-interval 20 set sample-direction both set explicit-web-proxy disable set explicit-ftp-proxy disable set proxy-captive-portal disable set tcp-mss 0 set inbandwidth 0 set outbandwidth 0 set egress-shaping-profile '' set spillover-threshold 0 set ingress-spillover-threshold 0 set weight 0 set external disable set description '' set alias "LAN Sigma" set security-mode none set device-identification enable set device-user-identification enable set device-identification-active-scan enable set device-access-list '' set fortiheartbeat enable set broadcast-forticlient-discovery disable set endpoint-compliance disable set estimated-upstream-bandwidth 0 set estimated-downstream-bandwidth 0 set vrrp-virtual-mac disable set role lan set snmp-index 25 set secondary-IP disable set preserve-session-route disable set auto-auth-extension-device disable set ap-discover enable set color 0 config ipv6 set ip6-mode static set nd-mode basic set ip6-address ::/0 unset ip6-allowaccess set ip6-reachable-time 0 set ip6-retrans-time 0 set ip6-hop-limit 0 set dhcp6-prefix-delegation disable set dhcp6-information-request disable set vrrp-virtual-mac6 disable set vrip6_link_local :: set ip6-send-adv disable set autoconf disable set dhcp6-relay-service disable end set mtu-override disable set wccp disable set drop-overlapped-fragment disable set drop-fragment disable set interface "port1" set vlanid 10 next end config system dhcp server edit 3 set status enable set lease-time 7200 set mac-acl-default-action assign set forticlient-on-net-status enable set dns-service specify set wifi-ac1 0.0.0.0 set wifi-ac2 0.0.0.0 set wifi-ac3 0.0.0.0 set ntp-service specify set domain '' set wins-server1 0.0.0.0 set wins-server2 0.0.0.0 set default-gateway 10.9.8.1 set next-server 0.0.0.0 set netmask 255.255.254.0 set interface "VLAN777" config ip-range edit 1 set start-ip 10.9.8.2 set end-ip 10.9.9.254 next end set timezone-option default set filename '' set server-type regular set conflicted-ip-timeout 1800 set auto-configuration enable set ddns-update disable set vci-match disable set dns-server1 8.8.8.8 set dns-server2 8.8.4.4 set dns-server3 0.0.0.0 set ntp-server1 0.0.0.0 set ntp-server2 0.0.0.0 set ntp-server3 0.0.0.0 next end #15
emnoc Expert Member Total Posts : 5108 Scores: 318 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Destination Interface unknown-0 2018/11/15 08:33:29 (permalink) 0 So look at these lines for the interface level configurations ? set device-identification enable set device-user-identification enable set device-identification-active-scan enable PCNSE, NSE , Forcepoint , StrongSwan Specialist #16
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/15 08:45:41 (permalink) 0 emnoc So look at these lines for the interface level configurations ? set device-identification enable set device-user-identification enable set device-identification-active-scan enable Yes I know. We have it allowed. But that does not mean that the device must be entered in the Policy. If I create a Policy where Source is only IP subnet and I do not specify a user or device - then must work it- regardless of whether or not I have identify device enable at the interface. Or am i wrong? This way we have all devices configured and no problem... #17
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/15 11:30:06 (permalink) 0 I tried to turn off Device Detection and Active Scaning on interfaces and reboot the box. The situation is still the same. I tried to delete all the policies and create again - no change. Tomorrow I will try factory reset and setup from the beginning. #18
tanr Platinum Member Total Posts : 641 Scores: 19 Reward points: 0 Joined: 2016/05/09 17:09:43 Status: offline Re: Destination Interface unknown-0 2018/11/15 11:41:40 (permalink) 0 You said you only have a single WAN IP, correct? Then what is the IP Pool being used for? Am I missing something? #19
Jirka Silver Member Total Posts : 103 Scores: 0 Reward points: 0 Joined: 2014/07/09 11:34:53 Location: Czech Republic Status: offline Re: Destination Interface unknown-0 2018/11/15 13:08:33 (permalink) 0 tanr You said you only have a single WAN IP, correct? Then what is the IP Pool being used for? Am I missing something? Hey tanr, yes, there is only one IP address on the WAN interface - 62.209.xxx.128/26. The rest of this range /26 is used for that pool - each C of the local range is NATated to one public IP address. Jirka #20

Jump to:

Hot!Destination Interface unknown-0

Attached Image(s)

19 Replies Related Threads

Attached Image(s)

Attached Image(s)

Attached Image(s)

Attached Image(s)

Attached Image(s)