FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 274367



This article describes the meaning of 'no session match' in debug flow. This document further describes how to log 'no session matched' in the traffic log.


Technical Tip: 'No Session Match' error and halfclose timer

Scope FortiGate.

To log the 'no session matched' event in the traffic log, the option 'log-invalid-packet' needs to be enabled.


config log setting

    set log-invalid-packet enable


Then the 'no session matched' log can be recorded in the traffic log. The following is a sample log message of 'no session matched'.


date=2023-09-08 time=12:46:49 logid="0000000007" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1694148409 srcip= srcport=61613 srcintf="port2" srcintfrole="undefined" dstip= dstport=22 dstintf=unknown-0 dstintfrole="undefined" proto=6 action="deny" policyid=0 policytype="policy" service="SSH" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"


Basically, it means that FortiGate has received a packet but there was no established session for it, e.g. the initial TCP 3-way handshake was not seen by FortiGate. One possibility is there was a change of routing path.


For example, initially, the TCP session was routed via an original path without going through FortiGate. Then there was a change of routing causing the TCP session to be routed to this FortiGate. However since FortiGate does not have a session established for this TCP session, the 'no session matched' log is recorded.