Description |
In an asymmetric environment, blocking occurs even though there is a firewall permit policy.
Additionally, in a dual hub ADVPN setup, when SD-WAN steers the traffic via hub2, it drops the session because the packets are not part of the initial TCP three-way handshake messages.
This article describes how to troubleshoot it. |
Scope | FortiGate. |
Solution |
The 'tcp-session-without-syn' command is, allows the creation of a TCP session on the firewall, without checking the SYN flag on the first packet. This means that in an asymmetric environment, if the Fortigate does not receive a SYN packet, it can create a session and allow it.
Example:
diagnose debug console timestamp enable
diagnose debug flow filter daddr 3.3.3.3 diagnose debug flow trace start 1000 diagnose debug enable .. .. id=20085 trace_id=138 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 1.1.1.1:62952->3.3.3.3:80) from port21. flag [R.], seq 659140411, ack 1499904319, win 0" id=20085 trace_id=138 func=init_ip_session_common line=5995 msg="allocate a new session-5e294602" id=20085 trace_id=138 func=vf_ip_route_input_common line=2615 msg="find a route: flag=00000000 gw-2.2.2.2 via WAN" id=20085 trace_id=138 func=fw_forward_handler line=695 msg="Denied by TCP SYN check, drop" <----- No session. Or:
id=65308 trace_id=601 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 192.168.121.93:57304->192.168.130.162:3333) tun_id=192.168.251.105 from
Test_Inet1_2_0. flag [.], seq 3065183144, ack 3328783317, win 1023" id=65308 trace_id=601 func=rpdb_srv_match_input line=1046 msg="Match policy routing id=2: to 192.168.130.162 via ifindex-59" id=65308 trace_id=601 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-192.168.251.126 via Test_Inet1_2_0" id=65308 trace_id=601 func=fw_forward_dirty_handler line=393 msg="no session matched" <--- To disable the debug, type this command:
diagnose debug disable
From CLI :
config system settings
set tcp-session-without-syn enable <----- Enable it to create the tcp-session-without-syn option in the firewall policy. end config firewall policy
edit <policyid> set tcp-session-without-syn <all/data-only/disable> end all: Enable TCP session without SYN. data-only: Enable TCP session data only. disable: Disable TCP session without SYN.
From GUI :
Related documents: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.