The error 'anti-replay check fails, drop' error has been noticed after the 'org dir, ack in state syn_sent, suspicious' error in the flow debug logs.

Example.

Issue: Unable to connect to the server(hosted on TCP service) x.x.x.x.

Apply the flow debug to check the flow debug on the FortiGate:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow show function-name enable
diagnose debug flow filter addr x.x.x.x <----- Replace x.x.x.x destination server IP.
diagnose debug flow trace start 999
diagnose debug enable

Logs output.

Topology:

172.16.72.193 (Test_PC) ------ (port 10) FortiGate (port2) --------- (test_ipsec tunnel) ------ 10.50.5.10 (RDP server).

2023-04-17 11:59:21 id=20085 trace_id=8317 func=print_pkt_detail line=5727 msg="vd-root:0
received a packet(proto=6, 172.16.72.193:55639->10.50.5.10:3389) from port10. flag [S], seq 3001991930, ack 0, win 64 240" <----- FortiGate received TCP traffic from PC towards the server. Flag [S] indicates this is an SYN packet.

2023-04-17 11:59:21 id=20085 trace_id=8317 func=init_ip_session_common line=5898 msg="allocate a new session-1c1cde89"
2023-04-17 11:59:21 id=20085 trace_id=8317 func=vf_ip_route_input_common line=2621 msg="find a route: flag=00000000 gw-10.50.5.10 via port2"
2023-04-17 11:59:21 id=20085 trace_id=8317 func=fw_forward_handler line=799 msg="Allowed by Policy-12"  <-----Traffic was allowed by FortiGate.
2023-04-17 11:59:21 id=20085 trace_id=8317 func=ipd_post_route_handler line=490 msg="out port2 vwl_zone_id 0, state2 0x1, quality 0."
2023-04-17 11:59:21 id=20085 trace_id=8317 func=ipsecdev_hard_start_xmit line=789 msg="enter test_ipsec"
2023-04-17 11:59:21 id=20085 trace_id=8317 func=_ipsecdev_hard_start_xmit line=666 msg="IPsec tunnel-test_ipsec"
2023-04-17 11:59:21 id=20085 trace_id=8317 func=esp_output4 line=898 msg="IPsec encrypt/auth"
2023-04-17 11:59:21 id=20085 trace_id=8317 func=ipsec_output_finish line=618 msg="send to 180.179.6.83 via intf-test_ipsec"
2023-04-17 11:59:21 id=20085 trace_id=8318 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=6,172.16.72.193:55639->10.50.5.10:3389) from port10. flag [.], seq 3001991931, ack 3746332660, win 259" 

Then, FortiGate received the ACK packet. The highlighted flag [.] indicated this is an ACK packet, but FortiGate was expecting the packet with the flag [S.], which means SYN-ACK packet.

2023-04-17 11:59:21 id=20085 trace_id=8318 func=resolve_ip_tuple_fast line=5808 msg="Find an existing session, id-1c1cde89, original direction"
2023-04-17 11:59:21 id=20085 trace_id=8318 func=tcp_anti_reply line=1033 msg="org dir, ack in state syn_sent, suspicious"
2023-04-17 11:59:21 id=20085 trace_id=8318 func=ip_session_core_in line=6455 msg="anti-replay check fails, drop"<----- The packet is dropped because FortiGate was expecting flag [S.], which means SYN ACK packet.
2023-04-17 11:59:21 id=20085 trace_id=8319 func=print_pkt_detail line=5727 msg="vd-root:0 received a packet(proto=6, 172.16.72.193:55639->10.50.5.10:3389) from port10. flag [.], seq 3001991931, ack 3746332660, win 259"
2023-04-17 11:59:21 id=20085 trace_id=8319 func=resolve_ip_tuple_fast line=5808 msg="Find an existing session, id-1c1cde89, original direction"

In this case, FortiGate will drop the packet as expected behavior because it did not receive syn+ack.

As per the TCP 3-way handshake, after sending the syn packet, it will be in syn_sent state and will wait for the syn+ack.

To solve this issue, disable anti-replay in the policy to allow traffic

However, for a permanent solution need to check the network for the asymmetric routing.

Related documents:

Technical Tip: Anti-Replay option support per-policy

Technical Tip: How the FortiGate behaves when asymmetric routing is enabled

Debugging the packet flow