Troubleshooting your VFP interface
There is troubleshooting information for virtual forwarding plane (VFP) interfaces that you might find useful.
- A VFP interface is not a "real" interface, in the way that
dp0bond0
is (or even a VIF or TUN). It is a placeholder interface created by the firewall and NAT processes so they can properly process traffic. You can still route traffic over a VFP like a regular interface, buttshark
and other monitor commands reveal no traffic. - With NAT, you must use a more specific subnet range to get traffic routed to the VFP, rather than the kernel route that is created by IPsec. If a static route is not set, then the kernel route is followed. You can test this using
show ip route x.x.x.x
. - DNAT should be processed properly coming out of the VFP, but returning traffic still needs a static route set. Look for non-NAT traffic heading out of the IPsec interface,
dp0bond1
ordp0bond0
(or any interface using IPsec traffic). - Using routing protocols and using a GRE tunnel over a VFP is untested.