Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
yangw
Staff
Staff

Created on ‎09-02-2025 01:03 AM Edited on ‎09-02-2025 01:04 AM By Community Manager

Article Id 408999

Troubleshooting Tip: FortiGate 'no session matched' with rapid TCP session reuse

Description This article explains how to troubleshoot a FortiGate 'no session matched' error that occurs when a client reuses the same source/destination/ports within a very short interval (for example, under 0.5 seconds), so the firewall has no active session to match and drops packets. It provides validated steps, example debug logs, and two configuration options to accommodate this pattern.
Scope FortiGate v7.2.
Solution

Feature:

IPv4 policy advanced option tcp-session-without-syn.

 

Symptom:
Traffic intermittently drops with fw_forward_dirty_handler 'no session matched' in debug flow, often when the endpoint quickly tears down and reuses the same source/destination/ports before FortiGate rebuilds a new session.

Example debug flow shows new SYN allowed and subsequent non-SYN packets sometimes hitting fw_forward_dirty_handler with 'no session matched'.

 

Reasons:

FortiGate matches packets to an existing session. If the initial SYN of the new connection was not observed (asymmetric return path, session reuse within sub‑second timing, or a prior session aged/cleared), subsequent packets can be treated as out-of-state and dropped with “no session matched.” Environments with asymmetric routing or rapid reuse of the same source/destination/ports are especially prone to this.

 

Troubleshooting steps:
Collect evidence with debug flow and session table:

 

diagnose debug console timestamp enable

diagnose debug flow filter addr <src/dst IP>

diagnose debug flow trace start 1000

diagnose debug enable

diagnose sys session list | grep IP:port

 

Confirm whether SYN was seen and whether the drop occurs on non‑SYN packets with 'no session matched'. Check for asymmetry and fast reuse: validate routing/SD‑WAN paths and application behavior for rapid reconnects.

 

Workarounds and configuration:

Enable tcp-session-without-syn selectively.

 

Make the option available:

 

config system settings

    set tcp-session-without-syn enable

end

 

Apply per-policy with the narrowest scope necessary:

 

config firewall policy

    edit 2442

        set name "TCP-23999 forward"

        set srcintf "any"

        set dstintf "any"

        set srcaddr "Server-10.100.180.226"

        set dstaddr "Server-10.100.183.195"

        set service "TCP-23999"

        set tcp-session-without-syn all

        set logtraffic all

        set logtraffic-start enable

        set auto-asic-offload disable

    next

end

 

Reverse-direction policy:

If traffic is bidirectional with different policies, mirror a specific reverse policy and set tcp-session-without-syn consistently for that flow. Keep the reverse rule as tight as possible on addresses/ports.

 

Validation:
Reproduce the client’s rapid reconnect and verify that sessions are now created even without seeing SYN, and that debug flow no longer shows 'no session matched' for the targeted traffic.
254
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.