Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
DPadula
Staff
Staff

Created on ‎10-06-2024 11:05 PM

Article Id 347342

Troubleshoot Tip: How ip-conn Log ID 0000000011 dns logs are generated

Description This article describes how the log message ip-conn with log ID 0000000011 and application DNS are generated.
Scope FortiGate.
Solution
The entry 'action=ip-conn' may be seen in the traffic logs. 
 
For example:

 

date="2024-10-06" time="16:51:43" id=7422536303121530880 bid=224479 dvid=1042 itime=1728193905 euid=3 epid=3 dsteuid=3 dstepid=101 logflag=1 logver=702081639 type="traffic" subtype="forward" level="warning" action="ip-conn" policyid=2 sessionid=49297 srcip="10.91.0.251" dstip="10.92.1.194" srcport=39307 dstport=53 proto=17 logid="0000000011" service="DNS" app="DNS" appcat="unscanned" srcintfrole="undefined" dstintfrole="undefined" policytype="policy" eventtime=1728193902812519114 crscore=5 craction=262144 crlevel="low" poluuid="ea5a1678-636e-51ef-340e-0fa5a1a12a5e" srccountry="Reserved" dstcountry="Reserved" srcintf="port3" dstintf="port2" policyname="allow_p3_p2" threatwgts="{5}" threatcnts="{1}" threatlvls="{1}" threats="{failed-connection}" threattyps="{failed-connection}" tz="+1100" devid="FGVM0XXXXXXXXXXX" vd="root" devname="FGT-744_1"

 

This can occur if the connection to the remote server fails, a timeout occurs, or if a reply from the server is not seen.

The lack of reply was not caused by the FortiGate but FortiGate will generate a log entry like above if a ICMP Type 3 message with Code 0, 1 or 3 is seen on the network segment. 

 

To explain this behaviour check the following network diagram:

network diagram.PNG

 

The Linux machine is using the Windows 2019 Server as a DNS server (10.92.1.194).

To replicate the issue let's assume the DNS server cannot be reached but the router still has a route to it on its routing table pointing to Ge0/2. Due to the fact the router cannot reach the DNS server the ICMP message Destination unreachable (Host unreachable), ICMP Type 3 Code 0, will be generated by the router to the Linux machine.

 

ICMP Type3Code1 highligthed.PNG

 

Once such an ICMP message reaches the FortiGate via port2, it will generate a log message similar to the message presented at the beginning of this article. FortiGate has FortiAnalyzer configured, so all log messages will be sent to FortiAnalyzer as can be seen in the following image.

 

faz ip-conn fields.png

FortiGate is not responsible for the lack of communication between the DNS client and DNS server but it will log a message ip-conn (Log ID 0000000011 DNS application) if an ICMP message Type3 with code 0, 1, or 3 reaches its interfaces. 

 

Related article:

Technical Tip: Blocking ICMP Unreachable Messages by using interface-policy
Labels:
426
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.