This article describes how to rectify a Kernel Route Issue Preventing Website Access.
Scope
FortiGate.
Solution
Scenario:
Users can access specified websites. Able to reach google.com or 8.8.8.8, but unable to establish a connection for some websites.
Troubleshooting steps:
Step 1: Run packet capture:
diagnose sniffer packet any "host x.x.x.x" 4 0 a <----- Where x.x.x.x is the source of the IP address.
Step 2: Open a debug flow:
diag debug disable diag debug reset diag debug flow filter clear diag debug console timestamp enable diag debug flow show iprope enable diag debug flow show function enable diagnose debug flow filter saddr x.x.x.x <----- Where x.x.x.x is the source IP. diagnose debug flow filter daddr y.y.y.y.y <----- Where y.y.y.y is the destination IP. diag debug flow trace start 9999 <--------- Start the debug capture. diag debug enable diag debug flow trace stop <----- Stop the debug capture. diag debug disable
The debug output shows that the traffic is traversing to ssl.root:
Step 3: The next step is to check the traffic routes:
Routing table:
get router info routing-table all get router info routing-table details <IP_address>
Policy route:
diagnose firewall proute list
Kernel routes:
get router info kernel | grep <dest_IP_address>
The given source address is 192.168.66.49 and the destination address is 192.104.123.122. The kernel route shows that network 193.0.0.0 255.0.0.0 has a route pointing to ssl.root interface:
Note: There was no policy route and static route in place. When SSL VPN is configured, the source IPs are inserted directly into the Kernel. However, the routing table is unable to display them.
To rectify the issue remove the route from the FortiOS Kernel by executing the below command:
diagnose ip route delete ssl.root 193.0.0.0 255.0.0.0 0.0.0.0 10