Below is shown how to check the root cause of the traffic log 'replay packet(allow_err), suspicious'.

If a user gets the log message 'replay packet(allow_err), suspicious', it is possible to run the flow debug to see more details. Below is an example of duplicate traffic and it is denied.

• From the debug flow, there is a RESET packet from 192.168.1.2 to 172.16.1.2 that resets the connection and acknowledges previous packets:

id=20095 trace_id=4028 func=print_pkt_detail line=5918 msg="vd-Test:0 received a packet(proto=6, 192.168.1.2:57220->172.16.1.2:514) tun_id=0.0.0.0 from port1. flag [R], seq 1145693491, ack 1145693491, win 0"
id=20095 trace_id=4028 func=resolve_ip_tuple_fast line=6004 msg="Find an existing session, id-19248a01, original direction"
id=20095 trace_id=4028 func=npu_handle_session44 line=1234 msg="Trying to offloading session from port1 to port2, skb.npu_flag=00000000 ses.state=04000204 ses.npu_state=0x04001001"
id=20095 trace_id=4028 func=fw_forward_dirty_handler line=412 msg="state=04000204, state2=00004001, npu_state=04001001"

• Then after that, another similar RESET packet arrives at FortiGate from 192.168.1.2 to 172.16.1.2. FortiGate drops the packet due to 'anti-replay check fails, drop', it is expected:

id=20095 trace_id=4029 func=print_pkt_detail line=5918 msg="vd-Test:0 received a packet(proto=6, 192.168.1.2:57220->172.16.1.2:514) tun_id=0.0.0.0 from port1. flag [R], seq 1145693492, ack 1145693492, win 0"
id=20095 trace_id=4029 func=resolve_ip_tuple_fast line=6004 msg="Find an existing session, id-19248a01, original direction"
id=20095 trace_id=4029 func=tcp_anti_reply line=1112 msg="replay packet(allow_err), suspicious"
id=20095 trace_id=4029 func=ip_session_core_in line=6665 msg="anti-replay check fails, drop”