Trying to have a better understanding of #diagnose sys session list output

Question

Hello,

I am currently trying to troubleshoot an issue where an external client cannot connect to an internal server. i have follow this documentation guide but I do not understand 100% the output of the #diagnose sys session list command:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD30042

FW (FW_VDOM_1) # diagnose sys session list

session info: proto=6 proto_state=01 duration=83 expire=3576 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=3969/32/1 reply=16481/45/1 tuples=2 tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 1/0 orgin->sink: org pre->post, reply pre->post dev=37->41/41->37 gwy=172.16.40.19/0.0.0.0 hook=pre dir=org act=dnat 81.63.141.211:53466->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:53466(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e45821 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy

session info: proto=6 proto_state=01 duration=49 expire=3600 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log may_dirty f00 statistic(bytes/packets/allow_err): org=362913/9006/1 reply=19642544/17980/1 tuples=2 tx speed(Bps/kbps): 7400/59 rx speed(Bps/kbps): 400541/3204 orgin->sink: org pre->post, reply pre->post dev=37->41/41->37 gwy=172.16.40.19/0.0.0.0 hook=pre dir=org act=dnat 81.63.141.211:15327->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:15327(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e81f2b tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: disabled-by-policy

session info: proto=6 proto_state=01 duration=49 expire=3600 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log dirty may_dirty f00 statistic(bytes/packets/allow_err): org=200472/939/1 reply=41068/921/1 tuples=2 tx speed(Bps/kbps): 4061/32 rx speed(Bps/kbps): 832/6 orgin->sink: org pre->post, reply pre->post dev=37->0/0->37 gwy=0.0.0.0/192.168.12.5 hook=pre dir=org act=dnat 81.63.141.211:49266->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:49266(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e81f12 tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: dirty disabled-by-policy

session info: proto=6 proto_state=01 duration=84 expire=3576 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4 origin-shaper= reply-shaper= per_ip_shaper= class_id=0 ha_id=1 policy_dir=0 tunnel=/ vlan_cos=0/7 state=log dirty may_dirty f00 statistic(bytes/packets/allow_err): org=12952/56/1 reply=6388/54/1 tuples=2 tx speed(Bps/kbps): 153/1 rx speed(Bps/kbps): 75/0 orgin->sink: org pre->post, reply pre->post dev=37->0/0->37 gwy=0.0.0.0/192.168.12.5 hook=pre dir=org act=dnat 81.63.141.211:15299->191.2.16.148:443(172.16.40.19:443) hook=post dir=reply act=snat 172.16.40.19:443->81.63.141.211:15299(191.2.16.148:443) pos/(before,after) 0/(0,0), 0/(0,0) dst_mac=01:52:16:71:a9:bb misc=0 policy_id=7 auth_info=0 chk_client_info=0 vd=2 serial=01e8184c tos=ff/ff app_list=0 app=0 url_cat=0 rpdb_link_id = 00000000 dd_type=0 dd_mode=0 npu_state=0x000001 no_offload no_ofld_reason: dirty disabled-by-policy total session 4

My questions:

1- Which is the difference between proto_state=01 and proto_state=11? I understand the the first digit (0) belong to the original direction and the second (1) is the reply direction but, why sometimes I see 01 and other 11?.

2- proto_state=01 means NONE/ESTABLISHED according to proto_state table but I am connected to the internal server and using a netstat command i cannot see any established connection. So, why the Fortinet is saying that there is an established connection? I am using the FW in proxy mode, is maybe the session established between the client and the Forti? If it is the case, How could i see if the session between the Forti and the server is established too?

Thank you very much.

Best regards.

Toshi_Esumi · Answer

As in the KB, the first digit is for original direction and the second is of reply. So "01" means the initiator side didn't see proper replies completed while the responder side saw all and accepted. Their might be some packet loss somewhere between the FGT and the initiator in the direction: responder->initiator.

In those cases, continuous/large-size packet pinging would reveal the cause.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded