Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
smaruvala
Staff
Staff

Created on ‎05-23-2024 11:55 PM Edited on ‎11-12-2024 02:40 AM By Community Manager

Article Id 317030

Technical Tip: Handling of Challenge ACK packet by FortiGate

Description This article describes details about the challenge ACK and how FortiGate handles that packet.
Scope FortiGate.
Solution
  • In the TCP handshake generally, 3 packets are exchanged for the connection establishment and they are either SYN, SYN-ACK, or ACK.
  • In some cases when the source tries to establish a TCP connection the destination will send an 'ACK' packet instead of the 'SYN-ACK' packet. This ACK packet will have a random ACK number and does not match the sequence number of the SYN packet. This type of ACK is called a Challenge-ACK. The source will send a RST packet to the server and close the current connection.
  • The source will restart a new TCP connection after the previous connection closure.
  • Below is a Wireshark capture of the Challenge-ACK scenario. The first 3 packets show a Challenge ACK flow. The ACK number in the ACK packet is not in the same range as the sequence number of the SYN packet. 

    Challenge_ACK_Highlighted.png

 

  • Challenge-ACK  is defined in RFC-5961.

  • FortiGate will not drop this packet even when anti-replay protection is set as 'strict'.
  • Below is the anti-replay setting.

Firewall-kvm37 # get system global | grep replay
anti-replay : strict

 

  • Debug output indicates that FortiGate identifies the packet as Challenge-ACK and allows it.

2024-05-01 00:46:53 id=65308 trace_id=13 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 10.56.250.18:2049->10.47.40.137:1023) tun_id=0.0.0.0
from port3. flag [.], seq 3868146465, ack 1480705351, win 256"
2024-05-01 00:46:53 id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-00bf30a6, reply direction"
2024-05-01 00:46:53 id=65308 trace_id=13 func=tcp_anti_reply line=1069 msg="This can be a challenge ack packet"
2024-05-01 00:46:53 id=65308 trace_id=13 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.8.3.41 via port2"
2024-05-01 00:46:53 id=65308 trace_id=13 func=npu_handle_session44 line=1346 msg="Trying to offloading session from port3 to port2, skb.npu_flag=00000000 ses.state=000
00204 ses.npu_state=0x00000100"
2024-05-01 00:46:53 id=65308 trace_id=13 func=fw_forward_dirty_handler line=448 msg="state=00000204, state2=00000001, npu_state=00000100"

 

  •  Support to allow the Challenge-ACK was introduced in version 6.0.13 / 6.2.10 / 6.4.6 / 7.0.2 of FortiOS.
3474
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.