Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aneshcheret
Staff
Staff

Created on ‎09-06-2019 01:00 AM Edited on ‎11-24-2024 05:19 AM By Moderator

Article Id 198242

Technical Tip: Interface unknown-0 in traffic logs

Description


This article describes possible root causes of having logs with interface 'unknown-0'.

 

this.JPG

Scope

 

FortiGate.


Solution

 

Generally, such a log message is created, when a packet comes to a FortiGate and FortiOS and it can't find an existing session for it, although it is expected that it has to be already in place.
For example, when FortiGate receives a TCP FIN packet, and there is no session, that this packet can match.

There are several scenarios when such a log message can be generated:

 

  1. When an interface (virtual or physical) status changes (add/del/up/down).
    It triggers a routing table update, which flushes “dev” info of the related sessions due to re-routing. Such sessions will later timeout if there is no following up packet after the flush.
    While they are being removed from the session table logs with the 'unknown-0' src/dst interface are generated.
  2. These log messages are also known to be seen when a packet comes to a FortiGate and FortiOS and can't find an existing session for it, although it is expected that it has to be in place.
    Below are two examples of such scenarios:
  • When FortiGate receives a TCP FIN packet, and there is no session, that this packet can match.
    An example of such a scenario can be a TCP session removed from the session table after the 'session-ttl' value is expired for it. In case the session is removed earlier than the client closed it, the client may still try to use it.
    As FortiGate will not expect to receive any TCP packets except TCP SYN triggering the creation of a new session, all other packets will be dropped due to an 'implicit deny' policy (ID 0) match and an 'unknown-0' log message will be generated.
  • Another valid example of such log messages is when a session is removed from the session table because the destination server closed it. In such case, if for any reason the client still sends packets related to the removed session, packets are dropped due to an 'implicit deny' policy (ID 0) match, and an 'unknown-0' log message is generated.

 

In both examples ‘No Session Match’ messages are seen in the debug flow logs.

Related article:

Technical Tip: 'No Session Match' error and halfclose timer

Labels:
23627
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.