Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jstan
Staff
Staff

Created on ‎12-25-2020 09:19 AM Edited on ‎02-17-2022 01:45 PM By Anonymous

Article Id 198747

Technical Tip: 'local-out traffic, blocked by HA' debug flow message

Description
When performing ping test through FortiGate slave unit, it is observed that the ping failed, and debug flow is printing the message 'local-out traffic, blocked by HA'.

Solution
1) When attempting to perform a ping test from the slave unit, the ping failed

# execute ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1): 56 data bytes
sendto failed
sendto failed
sendto failed
sendto failed
sendto failed

2) The debug flow is printing the below message:

id=20085 trace_id=3628 func=print_pkt_detail line=5501 msg="vd-root received a packet(proto=1, 10.10.10.10:55136->10.10.10.1:2048) from local. type=8, code=0, id=55136, seq=0."      
id=20085 trace_id=3628 func=init_ip_session_common line=5666 msg="allocate a new session-011b8e62"
id=20085 trace_id=3628 func=fw_local_out_handler line=825 msg="local-out traffic, blocked by HA"

The message 'local-out traffic, blocked by HA' will show up in a debug flow if the unit trying to send (self-originated) traffic out from the HA slave unit.
This is actually by design or expected in A-P scenario.
To resolve the issue, perform the ping test from the master unit instead.

Labels:
4250
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.