Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Dhruvin_patel
Staff
Staff

Created on ‎07-21-2025 12:00 AM Edited on ‎07-22-2025 01:39 AM By Community Manager

Article Id 402452

Technical Tip: FortiGate drop packets with error message 'Find a candidate session' and 'tuple not match, drop'

Description This article discusses the error messages 'Find a candidate session' and 'tuple not match, drop'.
Scope FortiGate.
Solution

The traffic is initiated from the source IP 51.xx.xx.2 behind the FortiGate, which is configured with a public IP address, towards the destination 52.xx.xx.xx.

 

Debug flow:

 

2025-07-15 13:40:08 id=65308 trace_id=106 func=print_pkt_detail line=5873 msg="vd-root:0 received a packet(proto=17, 51.xx.xx.2:22614->52.xx.xx.xx:50214) tun_id=0.0.0.0 from LAN. "
2025-07-15 13:40:08 id=65308 trace_id=106 func=init_ip_session_common line=6062 msg="allocate a new session-669eaxxx"
2025-07-15 13:40:08 id=65308 trace_id=106 func=vf_ip_route_input_common line=2612 msg="find a route: flag=04000000 gw-51.xx.xx.18 via WAN"
2025-07-15 13:40:08 id=65308 trace_id=106 func=__iprope_check_one_policy line=2365 msg="policy-1 is matched, act-accept"
2025-07-15 13:40:08 id=65308 trace_id=106 func=fw_forward_handler line=988 msg="Allowed by Policy-6: SNAT"
2025-07-15 13:40:08 id=65308 trace_id=106 func=__ip_session_run_tuple line=3430 msg="SNAT 51.xx.xx.2->51.xx.xx.17:22614"

 

Network Diagram:

 

10855241.PNG

 

Once the traffic is allowed, the FortiGate will create a session with the following tuple:

 

orgin->sink: org pre->post, reply pre->post dev=89->90/90->89 gwy=51.xx.xx.18/0.0.0.0
hook=pre dir=org act=noop 51.xx.xx.2:22614->52.xx.xx.xx:50214(51.xx.xx.17:22614)
hook=post dir=reply act=noop 52.xx.xx.xx:50214->51.xx.xx.17:20225(51.xx.xx.2:22614)
pos/(before,after) 0/(0,0), 0/(0,0)
dst_mac=e4:xx:xx:xx:xx:xx
misc=0 policy_id=1 pol_uuid_idx=2229 auth_info=0 chk_client_info=0 vd=0

 

However, the destination 52.xx.xx.xx is sending traffic to the source 51.xx.xx.2, not the NATed IP address. As a result, the FortiGate drops the traffic because the session tuple does not match.

 

2025-07-15 13:40:08 id=65308 trace_id=112 func=print_pkt_detail line=5873 msg="vd-root:0 received a packet(proto=17, 52.xx.xx.xx:50214->51.xx.xx.2:22614) tun_id=0.0.0.0 from WAN. "
2025-07-15 13:40:08 id=65308 trace_id=112 func=resolve_ip_tuple_fast line=5929 msg="Find a candidate session id-669eaxxx dir=1 hook=4 act=0, tuple not match, drop"

 

To resolve the issue, disable NAT on the FortiGate. In this case, Central NAT is being used, so create a Central NAT rule with NAT disabled and place it above the policy that is performing NAT.

 

config firewall central-snat-map

edit x
    set srcintf "LAN"
    set dstintf "WAN"
    set orig-addr "all"
    set dst-addr "all"
    set nat disable
next

end

 

If NAT is being used in the policy (no Central NAT), then disable NAT in the policy to resolve the issue. Another way to resolve the issue is to force the destination not to send traffic directly to the source, although this may not be possible in some scenarios.
311
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.