Fortinet Session Timeouts

Hello,

That is an incredibly frustrating issue.Since you’ve already ruled out ASIC offloading, proxy mode, and standard TCP timers, the issue likely stems from the firewall failing to track the state of the long-lived HTTP/2 streams or dropping encapsulated packets silently.

Just see the below points also:

- TCP-MSS Clamping: HTTP/2 often pushes large frames that, when encapsulated in IPsec, exceed the MTU. If ICMP "Fragmentation Needed" is blocked, you'll see "timeouts" as the sender hangs waiting for ACKs.   

* Fix: set tcp-mss-sender 1350 / set tcp-mss-receiver 1350)

- IPsec Anti-Replay Drops: High-throughput data syncs can cause packets to arrive out of order. If they fall outside the replay window, the FortiGate drops them, stalling the TCP session.

* check:get vpn ipsec stats crypto (look for replay errors)

- TCP Half-Close Timer: HTTP/2 uses multiplexed streams that often enter a "half-closed" state.

*Fix: Increase tcp-halfclose-timer under config system global

Also, just try Bypass Inspection Engine by Move the traffic to a dedicated Flow-based policy with zero security profiles (IPS/App Control/Web/AV) to rule out Layer 7 inspection drops or malformed frame rejections.

If again the issue arise, share the logs:

diag debug flow filter addr <Server_IP>
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

what do the logs actually say when its timed out ? can you share ?

@kutty7 : Check the session list for those specific sources and destinations and see the timeout values for the connections. 

diag sys session filter saddr 

diag sys session list 

and verify why the timeout is occurring, is it actually a session timeout or due to no response. 

> Is the timeout for IPsec connection itself and tunnel going down ? 
> is the timeout for data connection over the tunnel ? 

Regards