Solved: PBR, next-hop

TyuminYury · ‎11-03-2015

attachment contains a scheme of my network.

I need that clients 10.120.0.43 and 10.1.0.43 access to the Internet through FortiGate.

I managed to make it to the client 10.1.0.43,
but there is a problem with a client 10.120.0.43,
sites ping successfully, but the browser does not open

i have next config

R0:
interface GigabitEthernet0/0
ip address 10.50.0.6 255.255.255.252
ip access-group OUT-LAN in
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip policy route-map Fortinet
duplex auto
speed auto

interface Tunnel6
description VPN to DC3 (ISP1)
ip address 192.168.6.3 255.255.255.0
ip policy route-map Fortinet2
tunnel source GigabitEthernet0/2.3
tunnel mode ipsec ipv4
tunnel destination xx.xx.xx.xx
tunnel protection ipsec profile PR

route-map Fortinet2 permit 10
match ip address VIA-Fortinet
set ip next-hop 10.50.0.25
!

route-map Fortinet permit 10
match ip address VIA-Fortinet
set ip next-hop 10.50.0.25

ip access-list extended VIA-Fortinet
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 10.1.0.43 any
permit ip host 10.120.0.43 any

R3:
interface GigabitEthernet0/1
description LAN
ip address 10.120.0.254 255.255.0.0
ip nat inside
ip virtual-reassembly in
ip policy route-map Office-Internet
duplex auto
speed auto

route-map Office-Internet permit 10
match ip address To-Office
set ip next-hop 192.168.6.3
!

ip access-list extended To-Office
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip host 10.120.0.43 any

Masoud Pourshabanian · ‎11-03-2015

Hello,

What is the gateway of your firewal to access to the internet? is it passing from R0 and tunnel to access to the internet. I do not see any MTU set on your Tunnel interface.Try to set MTU 1400 and ip tcp adjust-mss 1360 on your Tunnel interface.

Masoud

View solution in original post

Mark Malone · ‎11-03-2015

If you can ping the sites from both ips it would suggest that the pbr is working correctly , when you debug it and try to reach it from either pc does it show you being redirected in debug correctly

Is the DNS set correctly on 10.120.0.43 and is it allowed for that ip in the firewall, are the rules identical for both host ips

TyuminYury · ‎11-03-2015

to the DNS are fine,
the firewall allowed all.

website even begins to open, the session is established, but the response to the contents of a page does not pass.

the attachment dump from the client when opening a site

Mark Malone · ‎11-03-2015

if your reaching the webpage then pbr is working correctly its only job is to redirect traffic through the firewall for specific host and it has , is the issue seen for every website or just certain webpages

To rule out something on host side connect a laptop to the port with same ip and see if you get the same results , Is it coming from a virtual host ?

Mark Malone · ‎11-03-2015

Looking at that wireshark anything coming back from 178 ip is sent with incorrect fcs

TyuminYury · ‎11-03-2015

but why this might happen?

Masoud Pourshabanian · ‎11-03-2015

Hello,

What is the gateway of your firewal to access to the internet? is it passing from R0 and tunnel to access to the internet. I do not see any MTU set on your Tunnel interface.Try to set MTU 1400 and ip tcp adjust-mss 1360 on your Tunnel interface.

Masoud

TyuminYury · ‎11-03-2015

on firewall set gateway ISP.
Yes, I tried to change the MTU but this has no effect.

I also tried to change the scheme on the way there was Tunnel (R1 -> R0 -> Fortigate). also without result.

Masoud Pourshabanian · ‎11-03-2015

Did you check your firewal policy for 10.120.0.43?

HTTP and DNS are allowed?

Masoud Pourshabanian · ‎11-03-2015

Enable log on your fortigate policy to make sure your router configuration is correct and 10.120.0.43 is passing through firewall.

TyuminYury · ‎11-03-2015

Yes, the data pass through ForiGate.

to exclude the cause of the settings ForiGate, I changed the scheme to version 3 (R3 -> R0 -> R1)
and always get the same result.

Masoud Pourshabanian · ‎11-03-2015

Some other things come to my mind.

Access-list on the interfaces

Try to use different ip for nat for your client(not logical but worth try it)

TyuminYury · ‎11-03-2015

this situation with all sites.
before I tried it on a virtual server, but now tried on a physical server and the situation is the same.

TyuminYury · ‎11-03-2015

The problem disappears if I change on R2

route-map Office-Internet permit 10
match ip address To-Office
set ip next-hop 192.168.6.3
!

to

route-map Office-Internet permit 10
set ip default next-hop 192.168.6.3
!

but why?