Skip to main content
maydin
Staff
maydin
Staff
May 1, 2026

Technical Tip: Understanding response-without-request logs in Forticarrier GTP Logs

  • May 1, 2026
  • 0 replies
  • 16 views

Description


This article describes why FortiCarrier generates response-without-request logs when processing GTP traffic. It describes how FortiCarrier correlates requests and responses, outlines common scenarios where this mismatch occurs, and provides guidance on troubleshooting and resolving such issues.


Scope


All FortiCarrier deployments using GTP inspection (GTP-C).

Solution


How FortiCarrier detects responses:

FortiCarrier tracks GTP transactions using a 5-tuple match:

  • Source IP.

  • Destination IP.

  • Source port.

  • Destination port.

  • Sequence number.

A response is only accepted if it matches a previously inspected request. If no match is found, the packet is dropped and logged as response-without-request.


Common causes of response-without-request.


  1. Request timeout (Half-open timeout exceeded).


If the response arrives after the request timeout, the request is no longer tracked.

Example:

  • Request sent.

  • half-open-timeout in GTP profile is 3 seconds.

  • Response arrives after 5 seconds and is dropped. See the example capture below:


23b45035.png


The log shows the drop reason:


f80a7839.png


  1. Monitor mode behavior.


When FortiCarrier is in monitor mode:

  • Denied requests are still forwarded.

  • They are not stored in the request queue.

As a result:

  • The Response arrives.

  • No matching request exists, so the response is dropped.

  • The following first request is denied but forwarded since the device is in monitor mode, and the response is denied afterwards with response-without-request log:


07b86f36.png91136ba7.png


How to troubleshoot the exact cause of this log:

  • Check and validate GTP profile settings.

  • Check if the device is in monitor mode.

  • Verify that there is no asymmetric routing.

  • If deeper troubleshooting is needed below data may be needed by Fortinet Support:

    • Enable gtp-c forward logs for the gtp-profile that have this issue.

    • Collect packet captures of the whole transaction related to the TEID where response-without-request logs are seen.

    • Send gtp-c forward logs and captures to Fortinet Support.


Summary:


The response-without-request log indicates that a GTP response could not be matched to a previously tracked request. This is typically caused by timeouts, monitor mode behavior, asymmetric routing, or missing session tracking. Proper configuration and traffic validation can prevent these issues.

    Terms & ConditionsAccessibility statement