I also setup a trouble ticket: 46329 (Last friday, and nothing on that yet - so I thought I would post the question here).
I have a service running on one of my DMZs. This service was provided to us by a library automations vendor; and thus I do not have control over how the service uses tcp/ip. In my case this service runs on Windows 2003. I know of another case where the same thing happens, and the service runs on Linux (this person also runs a 200a). In other words, this problem is OS independant, although the vendor programmed this service in Java.
Now, I have a Virtual IP performing a dynamic redirect port to port: webip:210 -> 172.16.8.13:210 service 210. This works fine, for about a day. After the day is complete, the service nolonger works. I do a netstat -an on the Windows 2003 box - low and behold the majority of the connections to port 210 ARE STILL ESTABLISHED. Some are in various states of closure.
I updated the FortiOS:2.80R8 to R10: Still no change in behaviour. I am currently unable to connect a packet capture device to the subnet that this problem occures on, but I can say that it does something to do with TCP resets. My peer on the linux mentioned the following:
" What I see on my server is a pattern of RST packets (rather than FIN) that
aren' t clearing the sessions on the server."
this however, isn' t clear on who is sending the RSTs. I modified part of the fortidevice' s config such as modifying the tcp-halfclose timer, and the timeout commands on specific ports - to no avail.
Many Thanks in advance,
Just a really quick guess, but do you have IPS on? Seems to be a cause of more than a few strange problems like this.
Not that I am away of. Is IPS turned on " Globally" or is it set on a per rule basis in the firewall config? If it is per rule, then no - I did not activate the " protection profile" for that rule. Is there a way to turn off ips on a per port basis?