server loadbalancer errors - iprope_in_check() check failed on policy 0, drop

Author
aneagoe
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/27 01:15:59
  • Status: offline
2019/10/15 09:24:45 (permalink)
0

server loadbalancer errors - iprope_in_check() check failed on policy 0, drop

Hello everyone,
 
I'm trying to configure a server-loadbalancer but without NAT. To put it simply, the fortigate should loadbalance requests against a VIP to real servers, but using an IP address from the same subnet. I've created the following VIP entry, intended as a k8s master loadbalancer:
 
config firewall vip
    edit "master-kp-api"
        set uuid 7d6dc7e8-ef61-51e9-2307-552476886ad3
        set type server-load-balance
        set extip 10.10.0.4
        set extintf "any"
        set server-type tcp
        set gratuitous-arp-interval 5
        set monitor "master-kp-api"
        set ldb-method least-session
        set extport 8443
        config realservers
            edit 1
                set ip 10.10.0.81
                set port 8443
            next
            edit 2
                set ip 10.10.0.82
                set port 8443
            next
            edit 3
                set ip 10.10.0.83
                set port 8443
            next
        end
    next
end

 
However, I'm getting the following errors when trying to reach the VIP:
2019-10-15 09:09:12 id=20085 trace_id=123 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50134->10.10.0.4:8443) from lan. flag [S], seq 2756646312, ack 0, win 26880"
2019-10-15 09:09:12 id=20085 trace_id=123 func=init_ip_session_common line=5530 msg="allocate a new session-0391c273"
2019-10-15 09:09:12 id=20085 trace_id=123 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:12 id=20085 trace_id=123 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
2019-10-15 09:09:13 id=20085 trace_id=124 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50134->10.10.0.4:8443) from lan. flag [S], seq 2756646312, ack 0, win 26880"
2019-10-15 09:09:13 id=20085 trace_id=124 func=init_ip_session_common line=5530 msg="allocate a new session-0391c288"
2019-10-15 09:09:13 id=20085 trace_id=124 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:13 id=20085 trace_id=124 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
2019-10-15 09:09:15 id=20085 trace_id=125 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50134->10.10.0.4:8443) from lan. flag [S], seq 2756646312, ack 0, win 26880"
2019-10-15 09:09:15 id=20085 trace_id=125 func=init_ip_session_common line=5530 msg="allocate a new session-0391c2a6"
2019-10-15 09:09:15 id=20085 trace_id=125 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:15 id=20085 trace_id=125 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
2019-10-15 09:09:16 id=20085 trace_id=126 func=print_pkt_detail line=5370 msg="vd-root:0 received a packet(proto=6, 10.10.0.14:50218->10.10.0.4:8443) from lan. flag [S], seq 1723572199, ack 0, win 26880"
2019-10-15 09:09:16 id=20085 trace_id=126 func=init_ip_session_common line=5530 msg="allocate a new session-0391c2b7"
2019-10-15 09:09:16 id=20085 trace_id=126 func=vf_ip_route_input_common line=2590 msg="find a route: flag=80000000 gw-10.10.0.4 via root"
2019-10-15 09:09:16 id=20085 trace_id=126 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"

Any suggestions?
#1

1 Reply Related Threads

    aneagoe
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/27 01:15:59
    • Status: offline
    Re: server loadbalancer errors - iprope_in_check() check failed on policy 0, drop 2019/10/17 07:33:16 (permalink)
    0
    I've been in contact with Fortinet support which suggested looking at this KB (Hairpin NAT): https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36202
    It's basically required to have an explicit policy that uses the VIP object name under dstaddr, in my case I had to add the following:
    config firewall policy
        edit 0
             set srcintf "any"
            set dstintf "any"
            set srcaddr "all"
            set dstaddr "master-kp-api"
            set action accept
            set status enable
            set schedule "always"
            set service "ALL"
        next
    end

     
    #2
    Jump to:
    © 2019 APG vNext Commercial Version 5.5