Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎03-06-2025 10:14 PM Edited on ‎07-16-2025 09:45 AM By Community Manager

Article Id 379841

Troubleshooting Tip: FortiGate did not reply with TCP RST when 'set send-deny-packet' is enabled

Description This article describes how to troubleshoot the issue when FortiGate did not reply with TCP RST packets when 'set send-deny-packet' is enabled.
Scope FortiGate.
Solution

On firewall policy, the command 'set send-deny-packet' is enabled. This option will generate a TCP RSP packet when traffic matches a deny policy instead of silently dropping the packet.

Screenshot 2025-03-01 162115.png

 

Checking packet capture, no TCP RST is being sent back from FortiGate, and the connection time out after some time.

download (2).png
This issue happens due to the command 'set deny-tcp-with-icmp' being enabled under 'config system settings'. 

Screenshot 2025-03-01 162806.png

Disable that option and try to re-connect. This time. TCP RST package is sent and the connection is refused instead of time out.

image (21).png

 

Related articles:
1218
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.