Description
This article provides an explanation of the entry 'action=ip-conn' that may be seen in the traffic logs.
For example:
Aug 23 03:52:14 10.95.216.1 date=2016-08-23 time=03:52:14 devname=external-fgt-01 devid=FGXXXXXXXX logid=0000000011 type=traffic subtype=forward level=warning vd=root srcip=1.2.3.4 srcport=48641 srcintf="PUBLIC-VIP" dstip=4.3.2.1 dstport=80 dstintf="LOCAL-PORT" poluuid=342f44-adff-asdfasd-mujjh-5yghnhn56hhd sessionid=3025325172 proto=6 action=ip-conn policyid=2 appcat="unscanned" crscore=5 craction=262144 crlevel=low
Scope
FortiGate.
Solution
The value 'ip-conn' in the log field description means that traffic was allowed, but the session closed as the FortiGate did not receive any reply packet. The resulting error shows as 'IP connection error'.
This can occur if the connection to the remote server fails or a timeout occurs.
Packet losses may be experienced due to a bad connection, traffic congestion, or high memory and CPU utilization on either FortiGate or the host.
To troubleshoot this issue, run an extended ping test from the host to see if packet losses will be experienced:
exe ping-options repeat-count 10000
exe ping 8.8.8.8
Check the resource utilization on the FortiGate and perform the equivalent on the host:
diagnose hardware sysinfo memory
get system performance status
get system performance top
diagnose system top
Run the following packet sniffer in the CLI:
diagnose sniffer packet any "host x.x.x.x and port 53" 4 0 a <----- Where x.x.x.x is the client IP.
