Buenos días,
He detectado intermitencias cuando envío peticiones de un equipo a otro. Las trazas estan influidas por una ruta estática configurada para llegar al destino:
200.X.X.X 255.255.255.255 10.x.x.x via vlan291
En ocasiones no sabe llegar al destino. Lo curioso es que los paquetes que no llegan pesan todos 240 B.
Cuando realizo un debug se observa que en algun envio no enruta por la vlan correcta:
Traza fallida
FW# 2017-10-26 17:57:31 id=13 trace_id=340 msg="vd-root received a packet(proto=6, 10.x.x.x:42300->2xx.x.x.x:15000) from TEST_283. flag [S], seq 3988386671, ack 0, win 14600"
2017-10-26 17:57:31 id=13 trace_id=340 msg="allocate a new session-f6b0d641"
2017-10-26 17:57:31 id=13 trace_id=340 msg="find a route: flags=00000000 gw-10.x.x.x via TEST_291"
2017-10-26 17:57:31 id=13 trace_id=340 msg="use addr/intf hash, len=6"
2017-10-26 17:57:31 id=13 trace_id=340 msg="Allowed by Policy-38:"
2017-10-26 17:57:31 id=13 trace_id=340 msg="insert vlan cos:0 id:283"
Traza correcta
FW# 2017-10-26 17:57:18 id=13 trace_id=334 msg="vd-root received a packet(proto=6, 10.x.x.x:42296->2xx.x.x.x:15000) from TEST_283. flag [S], seq 2364156573, ack 0, win 14600"
2017-10-26 17:57:18 id=13 trace_id=334 msg="allocate a new session-f6b0ccd0"
2017-10-26 17:57:18 id=13 trace_id=334 msg="find a route: flags=00000000 gw-10.x.x.x via TEST_291"
2017-10-26 17:57:18 id=13 trace_id=334 msg="use addr/intf hash, len=6"
2017-10-26 17:57:18 id=13 trace_id=334 msg="Allowed by Policy-38:"
2017-10-26 17:57:18 id=13 trace_id=334 msg="insert vlan cos:0 id:291"
2017-10-26 17:57:18 id=13 trace_id=335 msg="vd-root received a packet(proto=6, 2xx.x.x.x:15000->10.x.x.x:42296) from TEST_291. flag [S.], seq 1465480323, ack 2364156574, win 16384"
2017-10-26 17:57:18 id=13 trace_id=335 msg="Find an existing session, id-f6b0ccd0, reply direction"
2017-10-26 17:57:18 id=13 trace_id=335 msg="find a route: flags=00000000 gw-10.x.x.x via TEST_283"
2017-10-26 17:57:18 id=13 trace_id=335 msg="insert vlan cos:0 id:283"
2017-10-26 17:57:18 id=13 trace_id=336 msg="vd-root received a packet(proto=6, 10.x.x.x:42296->2xx.x.x.x:15000) from TEST_283. flag [.], seq 2364156574, ack 1465480324, win 229"
Adjunto imagen de los logs
[Debes identificarte para poder ver enlaces.]
¿Alguna idea de que puede estar sucediendo?
Gracias de antemano
Acceso a IP intermitente
Re: Acceso a IP intermitente
hola, estas usando policy route? tenes redes con mascara que se superponen? del otro lado tenes las rutas correctas?
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
NSE 5 - Network Security Analyst
Re: Acceso a IP intermitente
Hola,
No estoy utilizando policy-route y no hay redes que se superpongan.
Una de las pruebas que he realizado es añadir una policy-route especificando el origen-destino y compruebo que los paquetes se dropean.
FW# 2017-10-26 18:36:32 id=13 trace_id=341 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:32 id=13 trace_id=341 msg="allocate a new session-f6ba42e4"
2017-10-26 18:36:32 id=13 trace_id=341 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:32 id=13 trace_id=341 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:32 id=13 trace_id=341 msg="iprope_in_check() check failed on policy 0, drop"
2017-10-26 18:36:33 id=13 trace_id=342 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:33 id=13 trace_id=342 msg="allocate a new session-f6ba4358"
2017-10-26 18:36:33 id=13 trace_id=342 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:33 id=13 trace_id=342 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:33 id=13 trace_id=342 msg="iprope_in_check() check failed on policy 0, drop"
2017-10-26 18:36:35 id=13 trace_id=343 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:35 id=13 trace_id=343 msg="allocate a new session-f6ba4479"
2017-10-26 18:36:35 id=13 trace_id=343 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:35 id=13 trace_id=343 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:35 id=13 trace_id=343 msg="iprope_in_check() check failed on policy 0, drop"
2017-10-26 18:36:39 id=13 trace_id=344 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:39 id=13 trace_id=344 msg="allocate a new session-f6ba472e"
2017-10-26 18:36:39 id=13 trace_id=344 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:39 id=13 trace_id=344 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:39 id=13 trace_id=344 msg="iprope_in_check() check failed on policy 0, drop"
Un saludo
No estoy utilizando policy-route y no hay redes que se superpongan.
Una de las pruebas que he realizado es añadir una policy-route especificando el origen-destino y compruebo que los paquetes se dropean.
FW# 2017-10-26 18:36:32 id=13 trace_id=341 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:32 id=13 trace_id=341 msg="allocate a new session-f6ba42e4"
2017-10-26 18:36:32 id=13 trace_id=341 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:32 id=13 trace_id=341 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:32 id=13 trace_id=341 msg="iprope_in_check() check failed on policy 0, drop"
2017-10-26 18:36:33 id=13 trace_id=342 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:33 id=13 trace_id=342 msg="allocate a new session-f6ba4358"
2017-10-26 18:36:33 id=13 trace_id=342 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:33 id=13 trace_id=342 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:33 id=13 trace_id=342 msg="iprope_in_check() check failed on policy 0, drop"
2017-10-26 18:36:35 id=13 trace_id=343 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:35 id=13 trace_id=343 msg="allocate a new session-f6ba4479"
2017-10-26 18:36:35 id=13 trace_id=343 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:35 id=13 trace_id=343 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:35 id=13 trace_id=343 msg="iprope_in_check() check failed on policy 0, drop"
2017-10-26 18:36:39 id=13 trace_id=344 msg="vd-root received a packet(proto=6, 10.x.x.x:42336->2xx.x.x.x) from TEST_283. flag [S], seq 1413447769, ack 0, win 14600"
2017-10-26 18:36:39 id=13 trace_id=344 msg="allocate a new session-f6ba472e"
2017-10-26 18:36:39 id=13 trace_id=344 msg="Match policy routing: to 10.x.x.x via ifindex-49"
2017-10-26 18:36:39 id=13 trace_id=344 msg="find a route: flags=80000000 gw-10.x.x.x via root"
2017-10-26 18:36:39 id=13 trace_id=344 msg="iprope_in_check() check failed on policy 0, drop"
Un saludo
Re: Acceso a IP intermitente
hola, check failed on policy 0 , es que no hay ninguna politica que tome ese trafico, ya se origen- destino-servicio
revisa eso
revisa eso
NSE 7 – Fortinet Network Security Architect
NSE 5 - Network Security Analyst
NSE 5 - Network Security Analyst