Understanding Logging
Hi,
I have an fresh setup NSA3600 and configured X4 as a trunk for an Unifi AP with several SSIDs on diffrent VIDs.
If I connect to the diffrent SSIDs/Vlans I do get the appropriate DHCP lease in the right vlan.
However I get no access to the WAN.
In the logs of the NGFW I can see, that all packets from all vlans are getting dropped because of a policy:
DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 1:4)
I assured and double checked:
The access rule from the vlan/zone to WAN is priority 1, see attachment.
CFS and all other security options are not licenced and not active.
There is already the automated NAT policy for the vlan which seems to be correct
.
How can I find out what is blocking the traffic?
Every help is apprecheated.
Cheers,
Kilian
Best Answer
-
Arkwright Community Legend ✭✭✭✭✭
It's not the routing then - route 14 covers traffic from your problem zones to the internet.
However, I just looked at your access rules again. The one you underlined, rule 1. What do you think that's going to do? I think that rule will only allow access from Multimedia zone to the networks that the firewall's WAN interfaces are in. Now you did say "I get no access to the WAN" and that rule will literally do just that. But I think what you really want is a destination of "Any", ie, the entire internet.
0
Answers
"Packet dropped - Policy drop" is the most annoying error, it can be caused by NAT policies, access policies and I think route policies, but never tells you which one. As you've checked the first two, is there a matching route policy for this traffic?
@Trauti are you running the latest Firmware 6.5.4.12? I had Packet drops in the past despite the fact that there was a matching Rule allowing the traffic. A reboot helped for a while but it got finally fixed in 6.5.4.11+
Just in case to rule this out.
--Michael@BWC
@ARKWRIGHT
I think, I do, but I am not sure.
There only is the default routes created by the appliance itself.
It are the identical rules for X0 (working) as well as for X0:V88 (Does not work) and X4:V88 (Does not work)
Hi Michael @BWC,
yes, I´m running on 6.5.4.12-101n and I rebooted already several times ^^
Yeah, you were right. This did the trick!
I thought "WAN Subnets" is any network behind each interface with the "WAN" zone assigned..
But like you said, it is only the subnet of given interface..
Thank you every much!
Cheers