Description |
This article describes the meaning of 'no session match' in debug flow. This document further describes how to log 'no session matched' in the traffic log.
|
Scope | FortiGate. |
Solution |
To log the 'no session matched' event in the traffic log, the option 'log-invalid-packet' needs to be enabled.
config log setting set log-invalid-packet enable
In FortiOS v7.4.X and above, the command shown above has been replaced with the following:
config log setting set extended-log enable end
date=2023-09-08 time=12:46:49 logid="0000000007" type="traffic" subtype="forward" level="warning" vd="root" eventtime=1694148409 srcip=10.98.98.101 srcport=61613 srcintf="port2" srcintfrole="undefined" dstip=10.40.30.90 dstport=22 dstintf=unknown-0 dstintfrole="undefined" proto=6 action="deny" policyid=0 policytype="policy" service="SSH" dstcountry="Reserved" srccountry="Reserved" trandisp="noop" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="no session matched"
Basically, it means that FortiGate has received a packet but there was no established session for it, e.g. the initial TCP 3-way handshake was not seen by FortiGate. One possibility is there was a change of routing path.
For example, initially, the TCP session was routed via an original path without going through FortiGate. Then there was a change of routing causing the TCP session to be routed to this FortiGate. However since FortiGate does not have a session established for this TCP session, the 'no session matched' log is recorded. |