转发无目的地区域
16615
Created On 07/21/20 03:01 AM - Last Modified 10/26/21 03:30 AM
Symptom
IPsec 隧道因flow_policy_nofwd而中断隧道交通:
name value rate severity category aspect description -------------------------------------------------------------------------------- flow_policy_nofwd 3 0 drop flow session Session setup: no destination zone from forwarding appid_ident_by_icmp 3 0 info appid pktproc Application identified by icmp type --------------------------------------------------------------------------------
Environment
- 系列防火墙上的 Ipsec 隧道 VM-
- 伊普塞克隧道上 NGFW hardware
- 所有版本 PAN-OS
Cause
- 在传输时 firewall ,当流量源位于与隧道接口本身不同的虚拟路由器中时,就会发生这种情况。
- 如果 firewall 接收隧道流量输入,则出于相同的原因失败,但报告不同的掉落类型:
name value rate severity category aspect description -------------------------------------------------------------------------------- pkt_recv 2 0 info packet pktproc Packets received pkt_sent 3 0 info packet pktproc Packets transmitted session_allocated 3 0 info session resource Sessions allocated session_installed 3 0 info session resource Sessions installed flow_fwd_l3_noroute 3 0 drop flow forward Packets dropped: no route
Resolution
目标接口 firewall 应放置在与隧道接口相同的虚拟路由器中。