Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nihas
New Contributor

Syn - Syn-Ack Rst

Hi I have a internal network which I have NATED with ( using a different firewall) a public IP and allowed the same in Fortigate.

 

Network --->Other Firewall NAT--> Forigate.

 

Fortigate rule is like  -Source -- NATED IP

Destination - Any

Service - http /https

 

The problem is the internal machines are not able to connect to the outside network ( in my case http/https).

when I sniff the packet I got the output like below.

 

syn -- syn ack -- and immediately client sends reset.

 

7.252024 amc-sw1/2 out 203.XX.205.XX.11049 -> 115.112.5.6.80: syn 1627055449

7.268554 amc-sw1/2 in 115.112.5.6.80 -> 203.XX1.205.XX.11049: syn 3001641008 ack 1627055450 7.268576 amc-sw1/2 out 203.XX.205.XX.11049 -> 115.112.5.6.80: rst 1627055450

 

Can anyone help me to sort this out? What could be the problem here causing the reset?

 

thanks

Nihas

 

Nihas [\b]
Nihas [\b]
2 REPLIES 2
emnoc
Esteemed Contributor III

I would diag debug flow matching the client and port, inspect the firewall policy for ips-sensor , ssl-inspections etc..

 

Your flow captures looks like a client is in AWS and this traffic is coming inbound. Is this not correct? if so I would assume the web-server is hidden been the other firewall (FORTIGATE ) and you would have a DNAT or PORT-forwrd .

 

Can you confirm is this is the case? or provide a topology?

 

e.g

 

(client __  internet ------>Network --->Other Firewall NAT--> Forigate )

 

 

And lastly if my suspicions is correct, can you provide the vip-config and  firewall policy config?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Nihas
New Contributor

Thanks Emnoc and Sorry for the late reply.

Your flow captures looks like a client is in AWS and this traffic is coming inbound. Is this not correct? if so I would assume the web-server is hidden been the other firewall (FORTIGATE ) and you would have a DNAT or PORT-forwrd .

There is a slight difference in the scenario. We have a client who has a dedicated firewall ( Palo Alto) and is directly connected to the external firewall which is a Fortigate  one. ie,The gateway of PALO ALTO is our Forigate firewall.

Connectivity is just like below  Machines ( NATED with PA interface IP,ie 203.XX.205.XX-) --->Palo Alto-->Eth0( 203.XX.205.XX--this is a public IP) -->Fortigate  ( No NAT, Policy Source- 203.XX.205.XX-& Destination Any)--> Internet Router-->Internet

 

I found out the reason for the unusual TCP hand shake, the reason behind the issue is there was another policy in place which was using the same public IP ( 203.XX.205.XX)  as a NAT IP ( IP pool) in Fortigate.

 

The issue got fixed by removing the pool IP from the particular rule and deleted the same, 

In simple words  there was an IP conflict in the network. One was being used for NAT and the  same was using in palo alto interface as well.

:)

 

 

Nihas [\b]
Nihas [\b]
Labels
Top Kudoed Authors