Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff

Created on ‎09-06-2019 01:00 AM Edited on ‎05-26-2022 11:51 AM By Anonymous

Technical Tip: Interface unknown-0 in traffic logs

Description
This article describes possible root causes of having logs with interface “unknown-0”.

Solution
Generally, such log message is created, when a packet comes to a FortiGate and FortiOS and it can't find an existing session for it, although it is expected that it has to be already in place.
For example, when FortiGate receives a TCP FIN packet, and there is no session, which this packet can match.

There are several scenarios, when such log message can be generated:

1) When an interface (virtual or physical) status changes (add/del/up/down).
It triggers a routing table update, which flushes “dev” info of the related sessions due to re-routing. Such sessions will later timeout, if there is no following up packet after the flush.
While they are being removed from the session table logs with the 'unknown-0' src/dst interface are generated.

2) These log messages are also known to be seen, when a packet comes to a FortiGate and FortiOS and can't find an existing session for it, although it is expected that it has to be in place.
Below are two examples of such scenario:

- When FortiGate receives a TCP FIN packet, and there is no session, which this packet can match.
An example of such scenario can be a TCP session removed from the session table after “session-ttl” value is expired for it. In case the session is removed earlier than client closed it, such client may still try to use it.
As FortiGate will not expect to receive any TCP packets except TCP SYN triggering creation of a new session, all other packets will be dropped due to “implicit deny" policy (ID 0) match and 'unknown-0' log message will be generated.

- Another valid example for such log messages is when a session is removed from the session table, because the destination server closed it. In such case, if for any reason client still sends packets related to the removed session, packets are dropped due to “implicit deny" policy (ID 0) match and 'unknown-0' log message is generated.

In both examples ‘No Session Match’ messages are seen in the debug flow logs.

Related article: Technical Tip: 'No Session Match' error and halfclose timer

Labels:
12132
0 Kudos
Contributors

Contact Us