Technical Tip: How to troubleshoot the message 'fragments expired, drop'

When the traffic reaches the FortiGate interface, under certain circumstances, it is possible to see the following messages on the forward traffic logs:

date=2024-06-08 time=11:25:37 id=7400852525072519546 itime="2024-06-08 11:25:37" euid=3 epid=1034 dsteuid=3 dstepid=93053 logflag=2 logver=702081639 type="traffic" subtype="forward" level="warning" action="deny" policyid=0 srcip=172.31.75.152 dstip=192.168.70.162 srcport=1812 dstport=38230 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid=0000000007 service="udp/38230" app="udp/38230" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" policytype="policy" eventtime=1723145252950481176 srccountry="Reserved" dstcountry="Reserved" srcintf="unknown-0" dstintf="unknown-0" msg="fragments expired, drop" tz="-0500" devid="FG4H1E5619905803" vd="root"  dtime="2024-06-08 11:25:37" itime_t=1723145257 devname="HA-FGT01"

date=2024-06-08 time=11:26:49 id=7400852318914085551 itime="2024-06-08 11:26:49" euid=3 epid=1034 dsteuid=3 dstepid=93053 logflag=2 logver=702081639 type="traffic" subtype="forward" level="warning" action="deny" policyid=0 srcip=172.31.75.152 dstip=192.168.70.162 srcport=1812 dstport=38230 trandisp="noop" duration=0 proto=17 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 logid=0000000007 service="udp/38230" app="udp/38230" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" policytype="policy" eventtime=1723145204950504081 srccountry="Reserved" dstcountry="Reserved" srcintf="unknown-0" dstintf="unknown-0" msg="fragments expired, drop" tz="-0500" devid="FG4H1E5619905803" vd="root"  dtime="2024-06-08 11:26:49" itime_t=1723145209 devname="HA-FGT01"

'fragments expired, drop' message means that some of the fragments of a fragmented packet were not received by the kernel within the allowed time window. So, FortiGate was not able to reassemble and process the packet.

The fragmented time window is 30 seconds and it is defined on /proc/sys/net/ipv4/ipfrag_time:

FGVM04-HA01 (global) # fnsysctl cat /proc/sys/net/ipv4/ipfrag_time
30  <---

To see the fragmented packets it is necessary to do a sniffer on the FortiGate interface:

2024-06-08 11:25:37.844539 port5 -- 172.31.75.152.1812 -> 192.168.70.162.38230: udp 1490 (frag 50456:1480@0+)
0x0000 0009 0f09 0006 0015 5d4c 391a 0800 4500........]L9...E.
0x0010 05dc c518 2000 8011 50f6 ac1f 4b98 c0a8........P...K...
0x0020 46a2 0714 9556 05da a684 0b55 05d2 da55F....V.....U...U
0x0030 0a62 4aa9 7733 f55b d400 ae8f a135 1b06.bJ.w3.[.....5..
0x0040 0000 001e 4fff 01fb 0574 19c0 0000 0896....O....t......
0x0050 1603 0308 9102 0000 5103 0366 b51b a821........Q..f...!
0x0060 6954 3626 d9c3 5843 a2c2 20b9 c987 46d3iT6&..XC......F.
0x0070 3a07 d03b d04e a9b3 0bb4 6520 ae3d 0000:..;.N....e..=..
0x0080 9ddb 404a cbfc 57a5 59a4 fbc1 f447 add7..@J..W.Y....G..
0x0090 d30d cda0 d10a f0ed f73f b4f1 c030 0000.........?...0..
0x00a0 0900 1700 00ff 0100 0100 0b00 06a3 0006................
0x00b0 a000 069d 3082 0699 3082 0581 a003 0201....0...0.......
0x00c0 0202 1358 0000 0002 11d9 171b 9da3 698f...X..........i.
0x00d0 0000 0000 0002 300d 0609 2a86 4886 f70d......0...*.H...
0x00e0 0101 0505 0030 6931 1230 1006 0a09 9226.....0i1.0.....&
0x00f0 8993 f22c 6401 1916 0263 6f31 1330 1106...,d....co1.0..
0x0100 0a09 9226 8993 f22c 6401 1916 0367 6f76...&...,d....gov
0x0110 311a 3018 060a 0992 2689 93f2 2c64 01191.0.....&...,d..

In the above capture, the total payload is 1490 bytes, so the packet was fragmented into two packets (1480 bytes and 10 bytes).
If one of them is not received by the kernel within 30 seconds the error message will be generated and a fragmented packet will be dropped. 

The following links explain fragmentation on the FortiGate device:
Technical Note: How to detect fragmented packets in a sniffer 

What does (frag 16796:76@1376) mean?