Technical Tip: How to check TCP half close and half open session on FortiGate CLI

In some situations, it is necessary to verify an incomplete TCP handshake.

For example, a SYN packet may be sent, but no SYN-ACK response is received. The other possibility would be that a SYN-ACK response is received, but the final ACK is missing. In other cases, the SYN-ACK might be received on a different interface and subsequently dropped.

A TCP half-open session generally refers to a TCP connection attempt that was never fully established, meaning the three-way handshake was not complete.

The following filters can be used on FortiGate CLI to see the TCP half-open sessions:

diagnose sys session filter clear

diagnose sys session filter proto 6

diagnose sys session filter proto-state 2

diagnose sys session list

Or:

diagnose sys session filter clear

diagnose sys session filter proto 6

diagnose sys session filter proto-state 3

diagnose sys session list

An example of a FortiGate session showing an incomplete TCP handshake (proto_state=02 means SYN sent but no SYN-ACK received).

session info: proto=6 proto_state=02 duration=8 expire=1 timeout=3600 refresh_dir=both flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ helper=rsh vlan_cos=0/255
state=log local nds
statistic(bytes/packets/allow_err): org=60/1/1 reply=0/0/0 tuples=2
tx speed(Bps/kbps): 7/0 rx speed(Bps/kbps): 0/0

A TCP half-close session refers to the situation where one end has closed the connection while the other still keeps the session active.

The following filters can be used on FortiGate CLI to see the TCP half-close sessions:

diagnose sys session filter clear

diagnose sys session filter proto 6

diagnose sys session filter proto-state 4

diagnose sys session list

Or:

diagnose sys session filter clear

diagnose sys session filter proto 6

diagnose sys session filter proto-state 7

diagnose sys session list

Here, the 'proto-state 4' means 'ESTABLISHED': the session is fully open, 3-way handshake is completed and traffic is flowing bi-directionally. Additionally,the 'proto-state 7' means 'CLOSE_WAIT', which discloses that one side that sent the 'FIN'. The other side then acknowledged it, which means the local application will be closing the socket soon.

Note: If TCP connectivity between two Layer 3 devices is in question, always verify the TCP states on both ends. A TCP half-close condition can occur if a FIN packet is lost during transmission, leaving one side unaware that the connection has been closed.

Related articles: 

• Technical Tip: Check the session list and filter by IP address or port using the 'grep'
• Technical Tip: FortiGate Session Timers, Handling TCP Half-Closed Connections 
• Troubleshooting Tip: FortiGate session table information