Skip to main content
HASimac
HASimac
New Member
May 22, 2017
Solved

Fortigate running 5.4.4 drop packet with SYN+ECN+CWR flags enabled

  • May 22, 2017
  • 3 replies
  • 35654 views

Hello,

 

One of our customers migrate from 5.2.10 to 5.4.4.

After this migration, packets with SYN+ECN+CWR flags set were silently drops by the Firewall.

In order to solve this issue, we had to disable ECN congestion on the client.

https://ask.wireshark.org/questions/32067/many-many-tcp-out-of-order-dup-acks-and-retransmissions

Netsh interface tcp set global ecncapability=disabled

 

Is it a known issue with Fortigate FW ??

Any command to disable this check ??

 

Regards,

 

HA

 

 

 

    Best answer by ChrisDavis

    I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.

     

    Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.

     

    As I said I haven't tested it yet so if you try it, let us know.  Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.

    3 replies

    emnoc
    emnoc
    New Member
    May 22, 2017

    under config sys global what do you have for protocol checks

     

    e.g

     

     set check-protocol-header loose  or strict

     

     

    I would start at that point. Since the SYN packets have the tcp-options, we need a way to fix up  TCP-SYN or SYN-ACKs. Most open source firewall have the means to scrub or clean tcp.flags  iptables,PF,etc.....

     

     

    http://socpuppet.blogspot...ring-bad-tcpflags.html

     

     

     

     

    HASimac
    HASimacAuthor
    New Member
    May 23, 2017

    Hi,

     

    First, thanks for your help.

    Unfortunately, check-protocol-header is already set to 'loose'...

    anti-replay         : disable

    asymroute           : enable

    tcp-session-without-syn: enable

     

    Any other idea ??

    ChrisDavis
    ChrisDavis
    New Member
    May 26, 2017

    Hi

    We have the same thing.

     

    It's a confirmed bug, specifically

    "Bug #0240576 : NP6 packet sanity check considers wrongly SYN with ECN and/or CWR as an incorrect packet."

     

    Disabling ECN works but that's not a very useful work around when dealing with third parties.

    Makes VPNs with 5.4.4 mostly useless. 

    HASimac
    HASimacAuthor
    New Member
    May 29, 2017

    Hi Chris,

     

    Thanks for the info !

    Two questions now.

    Does this bug affect all FortiOS release or is it limited to 5.4.4 ?

    Where can I find a bug list of Fortigate device ??

     

    Regards,

     

    HA

    ChrisDavis
    ChrisDavis
    New Member
    May 30, 2017

    I'm afraid I don't have that information.

    AFAIK Fortinet do not publish their bug list unlike say Cisco (to be fair even Cisco don't publish all their bugs).

    You will have to push your account manager if you have one or raise a support case if you can.

     

     

    simonorch
    simonorch
    Explorer
    October 4, 2023

    Bringing this old thread back up to report the same issue has reappeared in 7.2.x, the same workaround works as well, ie. disable npu-offloading on p1 ipsec. From our testing this affects the ingress ipsec tunnel interface. Tested in 7.2.5 and 7.2.6

    Terms & ConditionsAccessibility statement