Description
This article describes a scenario where traffic not passing through IPSEC dialup tunnel using authentication related issues with policy.
Solution
Debug trace:
Debug trace with iprope:
In the iprope debug flow, it is possible to see the traffic matches policy 8 however gets failed with msg="iprope_in_check() check failed on policy 0, drop".
This error obtained was due to authentication related issue.
Solution:
In dialup VPN configuration for xauth you have two options under user group
*Inherit from Policy
*Choose
If there is the option selected to Choose, user group name should not be included in firewall policy.
It needs to be included only on Dialup VPN configuration to avoid authentication related issues.
On removing the user group name in policy, network was reachable.
This article describes a scenario where traffic not passing through IPSEC dialup tunnel using authentication related issues with policy.
Solution
Debug trace:
id=20085 trace_id=654 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 10.10.2.1:1->172.16.22.1:2048) from Dialup. type=8, code=0, id=1, seq=2946."
id=20085 trace_id=654 func=init_ip_session_common line=5654 msg="allocate a new session-0ca4cca8"
id=20085 trace_id=654 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-172.16.22.1 via root"
id=20085 trace_id=654 func=fw_local_in_handler line=409 msg="iprope_in_check() check failed on policy 0, drop"
Debug trace with iprope:
id=20085 trace_id=1510 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=1, 10.10.2.1:1->172.16.22.1:2048) from Dialup. type=8, code=0, id=1, seq=4763."
id=20085 trace_id=1510 func=init_ip_session_common line=5654 msg="allocate a new session-0d0ed30d"
id=20085 trace_id=1510 func=iprope_dnat_check line=4942 msg="in-[Dialup], out-[]"
id=20085 trace_id=1510 func=iprope_dnat_check line=4955 msg="result: skb_flags-02000008, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=1510 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-172.16.22.1 via root"
id=20085 trace_id=1510 func=iprope_fwd_check line=726 msg="in-[Dialup], out-[lan], skb_flags-02000008, vid-0, app_id: 0, url_cat_id: 0"
id=20085 trace_id=1510 func=__iprope_tree_check line=548 msg="gnum-100004, use addr/intf hash, len=2"
id=20085 trace_id=1510 func=__iprope_check_one_policy line=1996 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
id=20085 trace_id=1510 func=get_new_addr line=1140 msg="find SNAT: IP-172.16.22.1(from IPPOOL), port-60417"
id=20085 trace_id=1510 func=__iprope_user_identity_check line=1806 msg="ret-no-match"
id=20085 trace_id=1510 func=__iprope_check_one_policy line=1996 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
In the iprope debug flow, it is possible to see the traffic matches policy 8 however gets failed with msg="iprope_in_check() check failed on policy 0, drop".
This error obtained was due to authentication related issue.
Solution:
In dialup VPN configuration for xauth you have two options under user group
*Inherit from Policy
*Choose
If there is the option selected to Choose, user group name should not be included in firewall policy.
It needs to be included only on Dialup VPN configuration to avoid authentication related issues.
On removing the user group name in policy, network was reachable.
