Technical Tip: How to 'fix fw_strict_dirty_session_check', drop message when using SD-WAN

This article describes how to fix 'fw_strict_dirty_session_check', drop message when using SD-WAN.

FortiGate with SD-WAN setting

When there is SD-WAN setting and the issue that the client behind FortiGate cannot access to internet, consider to run the debug flow to check how the traffics go to investigate the issue for the next step.

At CLI command of FortiGate:

FGT # diagnose debug reset

FGT # diagnose debug disable

FGT # diagnose debug flow filter clear

FGT # diagnose debug flow trace stop

FGT # diagnose debug flow filter addr 15.15.15.15 <----- Or destination IP address that is focused on.

FGT # diagnose debug flow show function-name enable

FGT # diagnose debug flow trace start 454545

FGT # diagnose debug console timestamp enable

FGT # diagnose debug enable

To stop debugging.

FGT # diagnose debug disable

FGT # diagnose debug reset

FGT # diagnose debug flow filter clear

FGT # diagnose debug flow trace stop

Example.

FGT # diagnose debug reset

FGT # diagnose debug disable

FGT # diagnose debug flow filter clear

FGT # diagnose debug flow trace stop

FGT # diagnose debug flow filter addr 15.15.15.15       

FGT # diagnose debug flow show function-name enable

show function name

FGT # diagnose debug flow trace start 454545

FGT # diagnose debug console timestamp enable

FGT # diagnose debug enable
FGT #  

And it may show the messages as below.

…..

2022-05-15 15:45:95 id=20085 trace_id=365 func=print_pkt_detail line=5937 msg="vd-root:0 received a packet(proto=1, 192.168.24.65:11612->15.15.15.15:2048) tun_id=0.0.0.0 from VLAN_505. type=8, code=0, id=11612, seq=3847."

2022-05-15 15:45:95 id=20085 trace_id=365 func=resolve_ip_tuple_fast line=6023 msg="Find an existing session, id-240493d4, original direction"

2022-05-15 15:45:95 id=20085 trace_id=365 func=rpdb_srv_match_input line=1015 msg="Match policy routing id=2636951624: to 15.15.15.15 via ifindex-63"

2022-05-15 15:45:95 id=20085 trace_id=365 func=__vf_ip_route_input_rcu line=1981 msg="find a route: flag=00000000 gw-10.254.15.1 via VLAN_15"

2022-05-15 15:45:95 id=20085 trace_id=365 func=get_new_addr line=1234 msg="find DNAT: IP-10.254.15.200, port-11615"

2022-05-15 15:45:95 id=20085 trace_id=365 func=fw_strict_dirty_session_check line=278 msg="SNAT IP 10.254.19.200 != 10.254.15.200, drop"

To fix the issue.

FGT # config system global

FGT # set strict-dirty-session-check disable

FGT # end

The option 'strict-dirty-session-check' will enable to check the session against the original policy when re-validating.

This can prevent dropping of redirected sessions when web-filtering and authentication are enabled together.

If this option is enabled, the FortiGate unit deletes a session if a routing or policy change causes the session to no longer match the policy that originally allowed the session. 

enable: Enable strict dirty-session check.
disable: Disable strict dirty-session check.