Debug Flow 排错举例
2025/10/29大约 4 分钟
Debug Flow 排错举例
Denied by forward policy check (policy 0)
从 Debug Flow 输出发现 192.168.1.10 ping 114.114.114.114 匹配了策略 0(隐式丢包策略),即该数据包没有匹配的策略。
2022-11-30 18:16:43 id=20085 trace_id=30 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:2328->114.114.114.114:2048) tun_id=0.0.0.0 from port5. type=8, code=0, id=2328, seq=1."
2022-11-30 18:16:43 id=20085 trace_id=30 func=init_ip_session_common line=6024 msg="allocate a new session-000e4d3d, tun_id=0.0.0.0"
2022-11-30 18:16:43 id=20085 trace_id=30 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.89.254 via port1"
2022-11-30 18:16:43 id=20085 trace_id=30 func=fw_forward_handler line=719 msg="Denied by forward policy check (policy 0)"Denied by forward policy check (policy XX)
从 Debug Flow 输出发现 192.168.1.10 ping 114.114.114.114 被 policy 9 丢弃。
2022-11-30 18:22:05 id=20085 trace_id=37 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.1.10:2335->114.114.114.114:2048) tun_id=0.0.0.0 from port5. type=8, code=0, id=2335, seq=1." 2022-11-30 18:22:05 id=20085 trace_id=37 func=init_ip_session_common line=6024 msg="allocate a new session-000e5327, tun_id=0.0.0.0" 2022-11-30 18:22:05 id=20085 trace_id=37 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-192.168.89.254 via port1" 2022-11-30 18:22:05 id=20085 trace_id=37 func=fw_forward_handler line=719 msg="Denied by forward policy check (policy 9)"policy id 为 9 的策略如下。
config firewall policy edit 9 set srcintf "port5" set dstintf "port1" set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic disable set action deny next end
reverse path check fail, drop
拓扑:PC1 (192.168.5.10)-----(192.168.5.1) Router (192.168.1.2)-----(port5:192.168.1.1) FortiGate (port1:192.168.89.35)----Internet
FortiGate 路由配置。
config router static edit 1 set dst 0.0.0.0/0 set gateway 192.168.89.254 set device "port1" next end从 Debug Flow 输出发现 192.168.5.10 ping 114.114.114.114 被反向路径检查丢弃,数据包是从 port5 接口收到的,FortiGate 会检查 port5 接口是否有到源地址 192.168.5.10 的路由,如果没有,则将丢弃该报文。
2022-11-30 19:02:32 id=20085 trace_id=38 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=1, 192.168.5.10:2471->114.114.114.114:2048) tun_id=0.0.0.0 from port5. type=8, code=0, id=2471, seq=1." 2022-11-30 19:02:32 id=20085 trace_id=38 func=init_ip_session_common line=6024 msg="allocate a new session-000e7d86, tun_id=0.0.0.0" 2022-11-30 19:02:32 id=20085 trace_id=38 func=ip_route_input_slow line=2267 msg="reverse path check fail, drop" 2022-11-30 19:02:32 id=20085 trace_id=38 func=ip_session_handle_no_dst line=6110 msg="trace"解决方法:增加到 192.168.5.0/24 的路由。
config router static edit 2 set dst 192.168.5.0/24 set gateway 192.168.1.2 set device "port5" next end
iprope_in_check() check failed on policy 0, drop
原因 1
访问一个防火墙上未开放的端口(包括自身管理端口/VIP 端口等),如下 port5 接口只允许 ping。
config system interface edit "port5" set ip 192.168.1.1 255.255.255.0 set allowaccess ping next end从 Debug Flow 发现 192.168.1.10 访问 FortiGate port5 接口 192.168.1.1 的 22 端口被拒绝,因为 port5 没有允许 SSH 访问。
2022-11-30 19:27:23 id=20085 trace_id=52 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=6, 192.168.1.10:53814->192.168.1.1:22) tun_id=0.0.0.0 from port5. flag [S], seq 2134956194, ack 0, win 29200" 2022-11-30 19:27:23 id=20085 trace_id=52 func=init_ip_session_common line=6024 msg="allocate a new session-000eb1ae, tun_id=0.0.0.0" 2022-11-30 19:27:23 id=20085 trace_id=52 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.1.1 via root" 2022-11-30 19:27:23 id=20085 trace_id=52 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
原因 2
访问 FGT 本机流量,接口下已经开启了此服务,但是配置了管理员可信任主机,可信任主机不包括发起访问的源 IP,如下 port5 接口允许 ping,ssh,同时配置管理主机为 192.168.88.0/24 网段。
config system interface edit "port5" set ip 192.168.1.1 255.255.255.0 set allowaccess ping ssh next end config system admin edit "admin" set trusthost1 192.168.88.0 255.255.255.0 next end从 Debug Flow 发现 192.168.1.10 访问 FortiGate port5 接口 192.168.1.1 的 22 端口被拒绝,因为 FortiGate 设置了信任主机,只允许 192.168.88.0/24 段的地址访问。
2022-11-30 19:35:13 id=20085 trace_id=58 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=6, 192.168.1.10:53818->192.168.1.1:22) tun_id=0.0.0.0 from port5. flag [S], seq 419563927, ack 0, win 29200" 2022-11-30 19:35:13 id=20085 trace_id=58 func=init_ip_session_common line=6024 msg="allocate a new session-000ec1a6, tun_id=0.0.0.0" 2022-11-30 19:35:13 id=20085 trace_id=58 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.1.1 via root" 2022-11-30 19:35:13 id=20085 trace_id=52 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"
原因 3
访问 FGT 本机流量,接口下已经开启了此服务,如下所示。
config system interface edit "port1" set ip 192.168.89.35 255.255.255.0 set allowaccess ping ssh next end但访问流量是从另外的一个接口发起的,而另外一个接口到本接口没有配置相应的防火墙策略。
从 Debug Flow 发现 192.168.1.10 访问 FortiGate port1 接口 192.168.89.32 的 22 端口被拒绝,因为数据包是从 port5 接口来的,因此被拒绝。
2022-11-30 19:42:32 id=20085 trace_id=72 func=print_pkt_detail line=5845 msg="vd-root:0 received a packet(proto=6, 192.168.1.10:54384->192.168.89.35:22) tun_id=0.0.0.0 from port5. flag [S], seq 2800378420, ack 0, win 29200" 2022-11-30 19:42:32 id=20085 trace_id=72 func=init_ip_session_common line=6024 msg="allocate a new session-000ed260, tun_id=0.0.0.0" 2022-11-30 19:42:32 id=20085 trace_id=72 func=vf_ip_route_input_common line=2605 msg="find a route: flag=84000000 gw-192.168.89.35 via root" 2022-11-30 19:42:32 id=20085 trace_id=72 func=fw_local_in_handler line=500 msg="iprope_in_check() check failed on policy 0, drop"解决方法:增加 port5 到 port1 接口的策略。
config firewall policy edit 0 set srcintf "port5" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "192.168.89.35/32" set schedule "always" set service "ALL" set logtraffic all next end