Description |
This article describes the meaning of 'no session match' in debug flow. This document further describes how to log 'no session matched' in the traffic log.
|
Scope | FortiGate. |
Solution |
To log the 'no session matched' event in the traffic log, the option 'log-invalid-packet' needs to be enabled.
config log setting set log-invalid-packet enable
In FortiOS v7.4.X and above, the command shown above has been replaced with the following:
config log setting set extended-log enable end
date=2023-09-08 time=12:46:49 logid="0000000007" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1694148409 srcip=10.98.98.101 srcport=61613 srcintf="port2" srcintfrole="undefined" dstip=10.40.30.90 dstport=22 dstintf=unknown-0 dstintfrole="undefined" proto=6 action="deny" policyid=0 policytype="policy" service="SSH" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"
Basically, it means that FortiGate has received a packet but there was no established session for it, e.g. the initial TCP 3-way handshake was not seen by FortiGate. One possibility is there was a change of routing path.
For example, initially, the TCP session was routed via an original path without going through FortiGate. Then there was a change of routing causing the TCP session to be routed to this FortiGate. However since FortiGate does not have a session established for this TCP session, the 'no session matched' log is recorded. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.