| Description |
In an asymmetric environment, blocking occurs even though there is a firewall permit policy.
This article describes how to troubleshoot it. |
| Scope | FortiGate, all firmware. |
| Solution |
The 'tcp-session-without-syn' command is, allows the creation of a TCP session on the firewall, without checking the SYN flag on the first packet. This means that in an asymmetric environment if the Fortigate does not receive a SYN packet, it can create a session and allow it.
Example:
diagnose debug console timestamp enable
diagnose debug flow filter daddr 3.3.3 diagnose debug flow trace start 1000 diagnose debug enable .. .. id=20085 trace_id=138 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:62952->3.3.3.3:80) from port21. flag [R.], seq 659140411, ack 1499904319, win 0" id=20085 trace_id=138 func=init_ip_session_common line=5995 msg="allocate a new session-5e294602" id=20085 trace_id=138 func=vf_ip_route_input_common line=2615 msg="find a route: flag=00000000 gw-2.2.2.2 via WAN" id=20085 trace_id=138 func=fw_forward_handler line=695 msg="Denied by TCP SYN check, drop" <----- No session. From CLI :
# config system settings
set tcp-session-without-syn enable <----- Enable it to create the tcp-session-without-syn option in the firewall policy. end config firewall policy
edit <policyid> set tcp-session-without-syn <all/data-only/disable> end all: Enable TCP session without SYN. data-only: Enable TCP session data only. disable: Disable TCP session without SYN.
From GUI :
Related documents: |
