FortiGate外网IPSec链路及运维专线链路到个别网段不通

时间:2022-08-19 05:43:13

1.现状:

  如图,用户网段有192.168.50.0/24、192.168.51.0/24和192.168.52.0/24、192.168.53.0/24。在防火墙上有静态路由到运维专线的10.160.25.0/24网段,且有到10.70.31.0/24的IPSec VPN。

2.现象:

  192.168.50.0/24、192.168.51.0/24和192.168.52.0/24、192.168.53.0/24均可正常通到各个外网。但10.160.25.0/24和10.70.31.0/24段到192.168.50.0/24、192.168.51.0/24能通,到192.168.52.0/24、192.168.53.0/24不通。

3.分析:

  通过在10.160.25.0/24的一台机器上做trace发现断点在防火墙。

4.排查:

  防火墙上开启debug flow  

  

  FGT5HD3915800383 # diagnose debug flow filter addr 10.160.25.39

  FGT5HD3915800383 # diagnose debug flow show console enable

  show trace messages on console

  FGT5HD3915800383 # diagnose debug flow trace start 20

  FGT5HD3915800383 # diagnose debug enable  

  FGT5HD3915800383 # id=13 trace_id=13 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 10.160.25.39:54490->192.168.200.251:445) from port12. flag [S], seq 3745359550, ack 0, win 8192"

  id=13 trace_id=13 func=init_ip_session_common line=4469 msg="allocate a new session-094e72cc"

  id=13 trace_id=13 func=vf_ip4_route_input line=1600 msg="find a route: flags=00000000 gw-192.168.79.2 via to-cisco3750"

  id=13 trace_id=13 func=fw_forward_handler line=685 msg="Allowed by Policy-63:"

  id=13 trace_id=14 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 192.168.200.251:445->10.160.25.39:54490) from to-cisco3750. flag [S.], seq 3483021419, ack 3745359551, win 8192"

  id=13 trace_id=14 func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-094e72cc, reply direction"

  id=13 trace_id=14 func=vf_ip4_route_input line=1600 msg="find a route: flags=00000000 gw-192.168.72.2 via port12"

  id=13 trace_id=15 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=6, 10.160.25.39:54490->192.168.200.251:445) from port12. flag [.], seq 3745359551, ack 3483021420, win 513"

  id=13 trace_id=15 func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-094e72cc, original direction"

  //以上为10.160.25.39和192.168.200.251正常通信的信息

  id=13 trace_id=16 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=1, 10.160.25.39:1->192.168.52.48:8) from port12. code=8, type=0, id=1, seq=1549."

  id=13 trace_id=16 func=init_ip_session_common line=4469 msg="allocate a new session-094e7a2a"

  id=13 trace_id=16 func=vf_ip4_route_input line=1600 msg="find a route: flags=00000000 gw-192.168.52.48 via port1"

  id=13 trace_id=16 func=fw_forward_handler line=685 msg="Allowed by Policy-63:"

  id=13 trace_id=17 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=1, 10.160.25.39:1->192.168.52.48:8) from port12. code=8, type=0, id=1, seq=1550."

  id=13 trace_id=17 func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-094e7a2a, original direction"

  id=13 trace_id=18 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=1, 10.160.25.39:1->192.168.52.48:8) from port12. code=8, type=0, id=1, seq=1551."

  id=13 trace_id=18 func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-094e7a2a, original direction"

  id=13 trace_id=19 func=print_pkt_detail line=4313 msg="vd-root received a packet(proto=1, 10.160.25.39:1->192.168.52.48:8) from port12. code=8, type=0, id=1, seq=1552."

  id=13 trace_id=19 func=resolve_ip_tuple_fast line=4372 msg="Find an existing session, id-094e7a2a, original direction"

  //发现10.160.25.39与192.168.52.48通信的包发到了“port1”

  FGT5HD3915800383 # diagnose debug disable  

  排查结果即防火墙将数据包发给了port1

  FortiGate外网IPSec链路及运维专线链路到个别网段不通  

  即,防火墙端口状态为启用时,防火墙会产生直连路由,但是在路由表里并不显示。

5.解决:

  将端口状态改为未启用即可。

  

  

  

  

  

  

  

  

相关文章