|
The value ‘client-rst’ in the log description means that the client side of the session is sending a reset packet to close the connection.
For example:
time=2024-03-03 12:40:57 epid=229 euid=3 data_parsername=FortiGate Log Parser v2 data_sourceid=FGtxxxxxxxxx data_sourcename=FGT01-FW root data_sourcetype=FortiGate data_timestamp=16780 app_cat=unscanned app_name=HTTP app_service=HTTP dst_geo=Reserved dst_intf=vlan10 dst_ip=10.1.x.x dst_mac=00:0c:xx:xx:12:2d dst_port=80 event_action=client-rst event_id=13 event_severity=notice event_subtype=forward event_type=traffic host_hwvendor=Samsung host_hwver=S host_ip=10.3.x.x host_location=Reserved host_mac=xx:xx:xx:xx:cf:b1 host_osfamily=Galaxy host_osname=Android host_osver=9 host_type=Phone net_proto=6 net_rcvdpkts=1 net_recvbytes=48 net_sentbytes=128 net_sentpkts=3 net_sessionduration=5 net_sessionid=28321 src_geo=Reserved src_intf=vlan20 src_ip=10.3.x.x src_mac=xx:xx:xx:xx:cf:b1 src_port=457 itime_t=16778
This can occur when a client device sends a TCP reset (RST) packet to the server and abruptly closes the session.
There could be many reasons for this reset from the client, such as network connectivity issues. Some applications running on the client may be causing it, or it may be a timeout while waiting for a response from the destination server.
Note:
Disable the auto-asic-offload from the firewall policy for this traffic before the capture.
Try enabling set timeout-send-rst in the firewall policy in place for this traffic.
For more information on timeout-send-rst, see this KB article: Technical Tip: Configure the FortiGate to send TCP RST packet on session timeout
If the PCAP shows a lot of Retransmission packets coming from the destination, lowering the MSS value on the policy may be a viable solution.
To verify that this is an MTU issue, ping the IP address from the Windows machine: Technical Tip: Setting TCP MSS value
ping x.x.x.x -l 1460 -n 100
Adjust (increase or decrease) the size. Whatever the maximum size that can be pinged is, set the MSS value in the firewall policy to that value, as shown below:
config firewall policy
edit <policy number>
set tcp-mss-sender 0
set tcp-mss-receiver 0
end
To troubleshoot this issue, capture the TCP stream. Collect the outputs of the following debug commands and sniffer logs to better understand where and why packets are getting dropped, or if this is occurring because of FortiGate.
Putty1:
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow filter addr x.x.x.x <------ Replace x.x.x.x with the destination IP of the communication.
diagnose debug flow trace start 100000
diagnose debug enable
Putty2:
diagnose sniffer packet any “host x.x.x.x” 6 0 a <----- Replace x.x.x.x with the destination IP of the communication.
Ctrl+C to stop the capture.
After running the commands, initiate the traffic to the destination once the access is blocked/disconnected. Stop the debugging with the following command:
diagnose debug reset
|
