Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rishab444
Staff
Staff

Created on ‎11-01-2024 09:35 AM

Article Id 354684

Troubleshooting Tip: Explanation of multiple 'TCP reset from Server' logs in LDAP logs under FortiSASE

Description This article describes why, in architectures configured with SPA, multiple 'TCP reset from Server' logs are often observed in LDAP Logs.
Scope FortiSASE, FortiGate.
Solution

GUI Log:

 

rishab444_0-1730409763355.jpeg

 

Raw Log:

 

date=2024-10-15 time=17:25:42 id=7426054899244204079 itime="2024-10-15 17:25:42" euid=1122 epid=1172 dsteuid=3 dstepid=101 logflag=1 logver=702086407 type="traffic" subtype="forward" level="notice" action="server-rst" policyid=1000 sessionid=182256341 srcip=10.212.128.26 dstip=10.10.2.5 transip=172.16.221.1 srcport=52628 dstport=389 transport=52628 trandisp="snat" duration=5 proto=6 vrf=10 sentbyte=2479 rcvdbyte=894 sentpkt=7 rcvdpkt=7 logid=0000000013 user="jwxxxxxx " unauthuser="jwxxxx" service="LDAP" app="LDAP" appcat="unknown" fctuid="XXXXXXXXXXXXXX" srcintfrole="undefined" dstintfrole="undefined" policytype="policy" eventtime=1729013142080571813 vwlid=1000 poluuid="2d50da02-beec-51ee-84a9-c987d5fe7a20" srccountry="Reserved" dstcountry="Reserved" srcintf="ssl.root" dstintf="hub1" unauthusersource="forticlient" authserver="FORTISASE_SAML_SERVER-ext" applist="internal-FFH_SPA_Default" vpntype="ipsecvpn" policyname="Allow-All_Private_Traffic" vwlquality="Seq_num(101 hub1), alive, sla(0x1), gid(0), cfg_order(0), local cost(5), selected" direction=internal tz="+0000" srcdomain="ffhl.intr" vwlname="to_hub" devid="FGVMXXXXX" vd="root" dtime="2024-10-15 17:25:42" itime_t=1729013142 devname="Toronto_Canada"

 

Explanation:

 

In a scenario where multiple users authenticate from the same IP address: if multiple requests come in too quickly from the same IP, the server may respond with a TCP reset as per its potential security measures (such as packet resets).

 
If SNAT is enabled in the policies on FortiSASE (which is the default behavior), these 'Reset packets [RST]' are expected from the server side.

The Domain Controller sends resets for the traffic when multiple users authenticate from the same IP in a very short span of time with its defense mechanism against malicious attempts. However, the subsequent authentication attempts succeed.
1403
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.