Troubleshooting Tip: Understanding of debug flow message 'TTL is exceeded. Drop the packet.'

Traffic initiated from the source IP 172.28.95.186 to the destination 172.28.22.150.

Debug output:

FortigGate # 2025-04-24 13:37:53 id=65308 trace_id=1 func=print_pkt_detail line=5879 msg="vd-root:0 received a packet(proto=1, 172.28.95.186:1->172.28.22.150:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=11276."
2025-04-24 13:37:53 id=65308 trace_id=1 func=resolve_ip_tuple_fast line=5967 msg="Find an existing session, id-1774743c, original direction"
2025-04-24 13:37:53 id=65308 trace_id=1 func=npu_handle_session44 line=1224 msg="Trying to offloading session from port3 to port9, skb.npu_flag=00000400 ses.state=00010204 ses.npu_state=0x00000400"
2025-04-24 13:37:53 id=65308 trace_id=1 func=fw_forward_dirty_handler line=442 msg="state=00010204, state2=00000001, npu_state=00000400"
2025-04-24 13:37:53 id=65308 trace_id=1 func=ip_forward_icmp_trap line=49 msg="TTL is exceeded. Drop the packet."

Debug logs indicate a traffic drop due to the message: 'TTL is exceeded. Drop the packet.'. This means the FortiGate device receives packets with a Time To Live (TTL) value of 1. Upon receiving such a packet, FortiGate decrements the TTL to 0, drops the packet, and sends an ICMP error message back to the source IP with an ICMP message having Type 11 (Time-to-Live exceeded) and Code 0 (TTL exceeded in transit).

To verify this, take a packet capture from FortiGate GUI -> Network -> Diagnostics.

Frame 21: FortiGate gets the packet with TTL==1.

Frame 22: FortiGate Response to the packet.

The TTL exceeded message indicates that a packet has taken too many hops without reaching its destination. Most commonly, this is due to misconfigured routing causing loops or low TTL values from the source. The issue can be resolved by tracing the packet path, identifying routing anomalies, and correcting TTL settings on the source device or intermediary routers.

Related document:

Debugging the packet flow