Hot!Destination Interface unknown-0

Author
Jirka
Silver Member
  • Total Posts : 93
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/07/09 11:34:53
  • Location: Czech Republic
  • Status: offline
2018/11/13 10:23:12 (permalink)
0

Destination Interface unknown-0

Hello experts,


today we deployed FGT200E to part of the network. We terminated two parts of the network - vlan666 and vlan777 - both networks are WiFi and both have DHCP on FGT. DNS is Google DNS
Everything works ok, only in the log we have very often a message: Deny-policy violation - dst iface unknow-0. Although it is legitimate traffic to be routed to the internet.
No BGP or OSPF is used, NAT is performed on an IP pool on a public IP address.
 
config firewall policy
    edit 26
        set name "UINIFI Guest->WAN"
        set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f
        set srcintf "VLAN777"
        set dstintf "wan1"
        set srcaddr "UNIFI Guest"
        set dstaddr "all"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set dscp-match disable
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool enable
        set poolname "NAT_UniFi_GUEST"
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-type single
        set av-profile ''
        set webfilter-profile "UniFiGuest"
        set dnsfilter-profile ''
        set spamfilter-profile ''
        set dlp-sensor ''
        set ips-sensor ''
        set application-list "UniFiGuest"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set ssh-filter-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set match-vip disable
    next
end

 
# diag debug reset
# diag debug enable
# diag debug flow filter dport 80
# diag debug flow filter saddr 10.9.8.118
# diag debug flow trace start 100

FG200E-xxx # id=20085 trace_id=1 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=1 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=2 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=2 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=3 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=3 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=4 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=4 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=5 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=5 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=6 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=6 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=7 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=7 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=8 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=8 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=9 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=9 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=10 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=10 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=11 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=11 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=12 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=12 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=12 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=13 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [S], seq 3290449723, ack 0, win 65535"
id=20085 trace_id=13 func=init_ip_session_common line=5544 msg="allocate a new session-0002041f"
id=20085 trace_id=13 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=13 func=fw_forward_handler line=751 msg="Allowed by Policy-26: AV SNAT"
id=20085 trace_id=13 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=13 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=14 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=14 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=14 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=14 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=14 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=15 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [S], seq 261364636, ack 0, win 14600"
id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=15 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=16 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=16 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=16 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=16 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=16 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=17 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=17 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=18 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=18 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=19 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364838, ack 1997785115, win 3918"
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=19 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=20 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449925, ack 3398102765, win 1369"
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=20 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=20 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=21 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=21 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=22 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=22 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=23 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=23 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=23 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=24 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=24 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=24 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=25 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=26 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=26 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=26 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=27 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=27 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=27 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=28 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=28 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=28 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=29 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=29 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=29 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=30 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=30 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=30 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=31 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=31 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=31 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=32 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=32 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=32 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=33 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=33 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=33 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=34 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=34 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=34 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=35 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=35 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=35 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=36 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=36 func=fw_forward_dirty_handler line=335 msg="no session matched"

 
I have read a few similar posts, but there is no definitive solution.
Does anyone have any idea what else to check? In my opinion, this is a standard setup that always works.
FortiOS 6.0.3
Thank you, Jirka
 
post edited by Jirka - 2018/11/13 11:34:43

Attached Image(s)

#1

19 Replies Related Threads

    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/13 10:31:06 (permalink)
    0
    another one
    post edited by Jirka - 2018/11/13 10:35:33

    Attached Image(s)

    #2
    Dave Hall
    Expert Member
    • Total Posts : 1289
    • Scores: 126
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/13 12:02:51 (permalink)
    0
    What do you have assigned to srcaddr "UNIFI Guest"?

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
    #3
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/13 12:06:48 (permalink)
    0
    Dave Hall
    What do you have assigned to srcaddr "UNIFI Guest"?

    Hi Dave,
     
    config firewall address
    edit "UNIFI Guest"
    set uuid 08613f64-e50f-51e8-62a8-6971ca472c8f
    set color 10
    set subnet 10.9.8.0 255.255.254.0
    next
    end
    #4
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 12:00:50 (permalink)
    0
    ok, I got information from the TAC that the problem might be in tcp-halfclose-timer.
    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36429&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=53784685&stateId=1%200%2053786674
    The default value is 120 seconds, so I tried to increase globally for 300 seconds. No change.
    What's strange is that the FGT81E in the same network with the same configuration (vlan, dhcp) behaves perfectly.

    Jirka
    #5
    emnoc
    Expert Member
    • Total Posts : 5082
    • Scores: 311
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 12:42:46 (permalink)
    0
    Could it be   asymmetrical routing issues?
    Ken Felix
     

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #6
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 12:54:07 (permalink)
    0
    Hi Ken, 

    to asymmetric routing is no reason. Box has only one WAN line, static routing (one default route), IP addresses are allocated statically, directly linked to the our core box (ASR1001). There is no reason for such behavior. Only connections to HTTP and HTTPS are affected. Other services are normal.
     
    Jirka
     

    Attached Image(s)

    #7
    Dave Hall
    Expert Member
    • Total Posts : 1289
    • Scores: 126
    • Reward points: 0
    • Joined: 2012/05/11 07:55:58
    • Location: Canada
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 13:22:07 (permalink)
    0
    What is the type or size of the IP Pool?
     
    If I recall a long while back, a similar problem where the IP pool was alternating the source address at some point that it cause the source to no longer match any firewall policies. 

    NSE4/FMG-VM64/FortiAnalyzer-VM/5.2/5.4 (FWF40C/FW92D/FGT200B/FGT200D/FGT101E)/ FAP220B/221C
    #8
    darwin_FTNT
    Bronze Member
    • Total Posts : 39
    • Scores: 2
    • Reward points: 0
    • Joined: 2018/04/24 18:12:28
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 18:45:29 (permalink)
    0
    It could be due to asymmetric route, session expired, or fortigate just received a single tcp packet with fin flag only (the syn packet and the rest are missing).
    Take note of the trace_id, it is incremented once per packet received by kernel from network card driver or local processes.
    The trace_id is used to track the individual packet in 'diag debug flow' as it is processed by kernel netfilter chain / tcp stack.
    Thus diag debug flow is useful to check if the packet is received by fortigate hw ports in the first place (aside from diag sniffer packet) before sent to other utm daemons (not familiar with npu offload code path).  If there are no tcp syn/ack packets, the session will not be created.
    The following consecutive packets came from single IP with incremental src port to the same destination webserver.
    Since session is null, the packet is logged then just dropped by firewall.
    Can enable 'config system setting asymroute' (default is disabled).
    Also can send a tcp reset to the clients sending sessionless packet 'config system global reset-sessionless-tcp' (default is disabled)
    Can try the following log setting to disable:
    config log setting --> log-invalid-packet -->disable.
     
    post edited by darwin_FTNT - 2018/11/14 18:47:27
    #9
    emnoc
    Expert Member
    • Total Posts : 5082
    • Scores: 311
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 19:27:35 (permalink)
    0
    Yes I agreed and I see  various applications kick out  additional tcp packets when the session is long dead. is it always the same  address and  service ports?
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #10
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/14 23:59:53 (permalink)
    0
    emnoc
    Yes I agreed and I see  various applications kick out  additional tcp packets when the session is long dead. is it always the same  address and  service ports?
     
    Ken Felix



    Hi Ken,
    yes, the destination port is always 80 and 443. Dst address is changing.
     

    Attached Image(s)

    #11
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 00:22:26 (permalink)
    0
    Dave Hall
    What is the type or size of the IP Pool?
     
    If I recall a long while back, a similar problem where the IP pool was alternating the source address at some point that it cause the source to no longer match any firewall policies. 


     
    Hi Dave,
    Pool I have configured so that every internal range / 23 or / 24 is NATed on one public IP address - see screenshot.
     

    Attached Image(s)

    #12
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 05:03:15 (permalink)
    0
    Now I have found one interesting thing.
    Once the Device (Devide detection) or User (we have FSSO connection to AD) is defined in the Source, the connection will be successful. If only the IP address is in the log, I get message: Destination Interface unknown-0 - no session matched
    How is it possible that FGT equire a user or device when we do not have anything like that in Policy?
     
     
        edit 3
            set name "SOFT->WAN"
            set uuid c24835b2-e50b-51e8-602f-d1b030e8b18b
            set srcintf "VLAN10"
            set dstintf "wan1"
            set srcaddr "172.22.64.0/24"
            set dstaddr "all"
            set internet-service disable
            set internet-service-src disable
            set rtp-nat disable
            set learning-mode disable
            set action accept
            set status enable
            set schedule "always"
            set schedule-timeout disable
            set service "ALL"
            set dscp-match disable
            set utm-status enable
            set logtraffic all
            set logtraffic-start disable
            set auto-asic-offload enable
            set permit-any-host disable
            set permit-stun-host disable
            set fixedport disable
            set ippool enable
            set poolname "NAT_SOFT"
            set session-ttl 0
            set vlan-cos-fwd 255
            set vlan-cos-rev 255
            set wccp disable
            set fsso disable
            set disclaimer disable
            set natip 0.0.0.0 0.0.0.0
            set diffserv-forward disable
            set diffserv-reverse disable
            set tcp-mss-sender 0
            set tcp-mss-receiver 0
            set comments ''
            set block-notification disable
            set replacemsg-override-group ''
            set srcaddr-negate disable
            set dstaddr-negate disable
            set service-negate disable
            set timeout-send-rst disable
            set captive-portal-exempt disable
            set ssl-mirror disable
            set scan-botnet-connections disable
            set dsri disable
            set radius-mac-auth-bypass disable
            set delay-tcp-npu-session disable
            unset vlan-filter
            set profile-type single
            set av-profile "default"
            set webfilter-profile "xxxxxxx"
            set dnsfilter-profile ''
            set spamfilter-profile ''
            set dlp-sensor ''
            set ips-sensor "protect_client"
            set application-list "xxxxxx"
            set voip-profile ''
            set icap-profile ''
            set waf-profile ''
            set ssh-filter-profile ''
            set profile-protocol-options "default"
            set ssl-ssh-profile "certificate-inspection"
            set traffic-shaper ''
            set traffic-shaper-reverse ''
            set per-ip-shaper ''
            set nat enable
            set match-vip disable
        next
    end

     
    edit 26
            set name "UNIFI Guest->WAN"
            set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f
            set srcintf "VLAN777"
            set dstintf "wan1"
            set srcaddr "UNIFI Guest"
            set dstaddr "all"
            set internet-service disable
            set internet-service-src disable
            set rtp-nat disable
            set learning-mode disable
            set action accept
            set status enable
            set schedule "always"
            set schedule-timeout disable
            set service "ALL"
            set dscp-match disable
            set utm-status enable
            set logtraffic all
            set logtraffic-start disable
            set auto-asic-offload enable
            set permit-any-host disable
            set permit-stun-host disable
            set fixedport disable
            set ippool enable
            set poolname "NAT_UniFi_GUEST"
            set session-ttl 0
            set vlan-cos-fwd 255
            set vlan-cos-rev 255
            set wccp disable
            set fsso disable
            set disclaimer disable
            set natip 0.0.0.0 0.0.0.0
            set diffserv-forward disable
            set diffserv-reverse disable
            set tcp-mss-sender 0
            set tcp-mss-receiver 0
            set comments ''
            set block-notification disable
            set replacemsg-override-group ''
            set srcaddr-negate disable
            set dstaddr-negate disable
            set service-negate disable
            set timeout-send-rst disable
            set captive-portal-exempt disable
            set ssl-mirror disable
            set scan-botnet-connections disable
            set dsri disable
            set radius-mac-auth-bypass disable
            set delay-tcp-npu-session disable
            unset vlan-filter
            set profile-type single
            set av-profile ''
            set webfilter-profile "UniFiGuest"
            set dnsfilter-profile ''
            set spamfilter-profile ''
            set dlp-sensor ''
            set ips-sensor "protect_client"
            set application-list "UniFiGuest"
            set voip-profile ''
            set icap-profile ''
            set waf-profile ''
            set ssh-filter-profile ''
            set profile-protocol-options "default"
            set ssl-ssh-profile "certificate-inspection"
            set traffic-shaper ''
            set traffic-shaper-reverse ''
            set per-ip-shaper ''
            set nat enable
            set match-vip disable
        next
    end

     
    Jirka
     

    Attached Image(s)

    #13
    emnoc
    Expert Member
    • Total Posts : 5082
    • Scores: 311
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 05:30:47 (permalink)
    0
    User Device ID detection is typical enable at the interface level. What does you full  interface configuration look like?
     
    Ken Felix

    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #14
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 06:32:50 (permalink)
    0
    emnoc
    User Device ID detection is typical enable at the interface level. What does you full  interface configuration look like?
     
    Ken Felix


    Here it is:

    config system interface
        edit "VLAN777"
            set vdom "root"
            set vrf 0
            set mode static
            set dhcp-relay-service disable
            set ip 10.9.8.1 255.255.254.0
            set allowaccess ping
            set fail-detect disable
            set pptp-client disable
            set arpforward enable
            set broadcast-forward disable
            set bfd global
            set l2forward disable
            set icmp-send-redirect enable
            set icmp-accept-redirect enable
            set vlanforward disable
            set stpforward disable
            set ips-sniffer-mode disable
            set ident-accept disable
            set ipmac disable
            set subst disable
            set substitute-dst-mac 00:00:00:00:00:00
            set status up
            set netbios-forward disable
            set wins-ip 0.0.0.0
            set type vlan
            set netflow-sampler disable
            set sflow-sampler disable
            set scan-botnet-connections disable
            set src-check enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
            set explicit-web-proxy disable
            set explicit-ftp-proxy disable
            set proxy-captive-portal disable
            set tcp-mss 0
            set inbandwidth 0
            set outbandwidth 0
            set egress-shaping-profile ''
            set spillover-threshold 0
            set ingress-spillover-threshold 0
            set weight 0
            set external disable
            set description ''
            set alias "UniFi Guest"
            set security-mode none
            set device-identification enable
            set device-user-identification enable
            set device-identification-active-scan enable
            set device-access-list ''
            set fortiheartbeat disable
            set estimated-upstream-bandwidth 0
            set estimated-downstream-bandwidth 0
            set vrrp-virtual-mac disable
            set role lan
            set snmp-index 27
            set secondary-IP disable
            set preserve-session-route disable
            set auto-auth-extension-device disable
            set ap-discover enable
            set color 0
            config ipv6
                set ip6-mode static
                set nd-mode basic
                set ip6-address ::/0
                unset ip6-allowaccess
                set ip6-reachable-time 0
                set ip6-retrans-time 0
                set ip6-hop-limit 0
                set dhcp6-prefix-delegation disable
                set dhcp6-information-request disable
                set vrrp-virtual-mac6 disable
                set vrip6_link_local ::
                set ip6-send-adv disable
                set autoconf disable
                set dhcp6-relay-service disable
            end
            set mtu-override disable
            set wccp disable
            set drop-overlapped-fragment disable
            set drop-fragment disable
            set interface "port1"
            set vlanid 777
        next
    end

     

    config system interface
        edit "VLAN10"
            set vdom "root"
            set vrf 0
            set mode static
            set dhcp-relay-service disable
            set ip 172.22.64.254 255.255.224.0
            set allowaccess ping https
            set fail-detect disable
            set pptp-client disable
            set arpforward enable
            set broadcast-forward disable
            set bfd global
            set l2forward disable
            set icmp-send-redirect enable
            set icmp-accept-redirect enable
            set vlanforward disable
            set stpforward disable
            set ips-sniffer-mode disable
            set ident-accept disable
            set ipmac disable
            set subst disable
            set substitute-dst-mac 00:00:00:00:00:00
            set status up
            set netbios-forward disable
            set wins-ip 0.0.0.0
            set type vlan
            set netflow-sampler disable
            set sflow-sampler disable
            set scan-botnet-connections disable
            set src-check enable
            set sample-rate 2000
            set polling-interval 20
            set sample-direction both
            set explicit-web-proxy disable
            set explicit-ftp-proxy disable
            set proxy-captive-portal disable
            set tcp-mss 0
            set inbandwidth 0
            set outbandwidth 0
            set egress-shaping-profile ''
            set spillover-threshold 0
            set ingress-spillover-threshold 0
            set weight 0
            set external disable
            set description ''
            set alias "LAN Sigma"
            set security-mode none
            set device-identification enable
            set device-user-identification enable
            set device-identification-active-scan enable
            set device-access-list ''
            set fortiheartbeat enable
            set broadcast-forticlient-discovery disable
            set endpoint-compliance disable
            set estimated-upstream-bandwidth 0
            set estimated-downstream-bandwidth 0
            set vrrp-virtual-mac disable
            set role lan
            set snmp-index 25
            set secondary-IP disable
            set preserve-session-route disable
            set auto-auth-extension-device disable
            set ap-discover enable
            set color 0
            config ipv6
                set ip6-mode static
                set nd-mode basic
                set ip6-address ::/0
                unset ip6-allowaccess
                set ip6-reachable-time 0
                set ip6-retrans-time 0
                set ip6-hop-limit 0
                set dhcp6-prefix-delegation disable
                set dhcp6-information-request disable
                set vrrp-virtual-mac6 disable
                set vrip6_link_local ::
                set ip6-send-adv disable
                set autoconf disable
                set dhcp6-relay-service disable
            end
            set mtu-override disable
            set wccp disable
            set drop-overlapped-fragment disable
            set drop-fragment disable
            set interface "port1"
            set vlanid 10
        next
    end

     
    config system dhcp server
        edit 3
            set status enable
            set lease-time 7200
            set mac-acl-default-action assign
            set forticlient-on-net-status enable
            set dns-service specify
            set wifi-ac1 0.0.0.0
            set wifi-ac2 0.0.0.0
            set wifi-ac3 0.0.0.0
            set ntp-service specify
            set domain ''
            set wins-server1 0.0.0.0
            set wins-server2 0.0.0.0
            set default-gateway 10.9.8.1
            set next-server 0.0.0.0
            set netmask 255.255.254.0
            set interface "VLAN777"
            config ip-range
                edit 1
                    set start-ip 10.9.8.2
                    set end-ip 10.9.9.254
                next
            end
            set timezone-option default
            set filename ''
            set server-type regular
            set conflicted-ip-timeout 1800
            set auto-configuration enable
            set ddns-update disable
            set vci-match disable
            set dns-server1 8.8.8.8
            set dns-server2 8.8.4.4
            set dns-server3 0.0.0.0
            set ntp-server1 0.0.0.0
            set ntp-server2 0.0.0.0
            set ntp-server3 0.0.0.0
        next
    end

    #15
    emnoc
    Expert Member
    • Total Posts : 5082
    • Scores: 311
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 08:33:29 (permalink)
    0
    So look at these lines for the interface level configurations  ?
     
           set device-identification enable
            set device-user-identification enable
            set device-identification-active-scan enable


    PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
    #16
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 08:45:41 (permalink)
    0
    emnoc
    So look at these lines for the interface level configurations  ?
     
      set device-identification enable
            set device-user-identification enable
            set device-identification-active-scan enable





    Yes I know. We have it allowed. But that does not mean that the device must be entered in the Policy.
    If I create a Policy where Source is only IP subnet and I do not specify a user or device - then must work it- regardless of whether or not I have identify device enable at the interface. Or am i wrong? This way we have all devices configured and no problem...
    #17
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 11:30:06 (permalink)
    0
    I tried to turn off Device Detection and Active Scaning on interfaces and reboot the box. The situation is still the same. I tried to delete all the policies and create again - no change.
    Tomorrow I will try factory reset and setup from the beginning.
    #18
    tanr
    Platinum Member
    • Total Posts : 639
    • Scores: 21
    • Reward points: 0
    • Joined: 2016/05/09 17:09:43
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 11:41:40 (permalink)
    0
    You said you only have a single WAN IP, correct?  Then what is the IP Pool being used for?  Am I missing something?
    #19
    Jirka
    Silver Member
    • Total Posts : 93
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/07/09 11:34:53
    • Location: Czech Republic
    • Status: offline
    Re: Destination Interface unknown-0 2018/11/15 13:08:33 (permalink)
    0
    tanr
    You said you only have a single WAN IP, correct?  Then what is the IP Pool being used for?  Am I missing something?


     
    Hey tanr,
    yes, there is only one IP address on the WAN interface - 62.209.xxx.128/26.
    The rest of this range /26 is used for that pool - each C of the local range is NATated to one public IP address.
     
    Jirka
    #20
    Jump to:
    © 2018 APG vNext Commercial Version 5.5