Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oamin
Staff
Staff

Created on ‎04-08-2015 08:45 AM Edited on ‎07-22-2025 03:30 AM By Moderator

Article Id 190880

Troubleshooting Tip: How to troubleshoot the 'No Session Matched' error

Description


This article describes that the error 'No Session Matched' will appear in debug flow logs when there is no session in the session table for that packet.

The session has been removed from FortiGate, hence the traffic cannot be matched.

 

Possible reasons for this error will be listed below.

 

Scope

 

FortiGate.

 

Solution

 

Scenario 1.
One possible reason for 'No Session Matched' is that the session was closed according to the 'tcp-halfclose-timer' before all data had been sent for that session.


id=13 trace_id=101 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=6, 172.16.189.1:63620->172.16.199.100:8888) from lan."
id=13 trace_id=101 func=vf_ip4_route_input line=1603 msg="find a route: gw-172.16.199.100 via lan"
id=13 trace_id=101 func=fw_forward_dirty_handler line=309 msg="no session matched"


tcp-halfclose-timer:
These settings define how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.

The valid range is from 1 to 86400 seconds.

By default in FortiOS, tcp-halfclose-timer is 120 seconds.

This option can be configured at the global level or the firewall service:


config system global
    set tcp-halfclose-timer <integer>


Steps on how to extend the TCP half-close timer for port 8888. This is the ports observed in the logs above.

 

  1. Create a custom firewall service for TCP port 8888. Set the expected tcp-halfclose-timer for the new custom service.


config firewall service custom
    edit "TCP-8888"
        set tcp-portrange 8888
        set tcp-halfclose-timer 3600
    next
end

 

  1. Use this custom service in all relevant policies:

     

config firewall policy
    edit 55
        set srcintf "lan"
        set dstintf "port7"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "TCP-8888"
        set logtraffic all
    next
end


The tcp-halfclose-timer will be applied to the session and therefore applied regardless of which end initiates the half-close.

Note:

The TCP half-close timer can be changed for other ports on the FortiGate as well. For example, below, it is possible to find the configuration change for the HTTPS service:

 

config firewall service custom
    edit "HTTPS"
        set tcp-portrange 443
        set tcp-halfclose-timer 3600
    next
end

 

This service can be added to the right firewall policies as per user requirements. 

 

Scenario 2.

Another possible reason is asymmetric traffic, where the FortiGate does not receive a SYN packet, resulting in the firewall blocking those packets due to the absence of a matching session.

 

Scenario 3.

In a sniffer captured with the destination as a filter, it is observed: 

 

--need to frag(mtu1450)

 

Change the value of 'set tcp-mss-sender' and 'set tcp-mss-receiver'.

 

config firewall policy
    edit x
        set tcp-mss-sender 1200
        set tcp-mss-receiver 1200
end

 

This value can differ depending on the network infrastructure.

 

Related articles:

Technical Tip: Enabling logging of 'no session matched' in FortiGate traffic log

Technical Tip: How to optimize memory by using session timers 

Labels:
46622
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.