Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

VIP redirect doesn' t release connection? (200a)

I also setup a trouble ticket: 46329 (Last friday, and nothing on that yet - so I thought I would post the question here). I have a service running on one of my DMZs. This service was provided to us by a library automations vendor; and thus I do not have control over how the service uses tcp/ip. In my case this service runs on Windows 2003. I know of another case where the same thing happens, and the service runs on Linux (this person also runs a 200a). In other words, this problem is OS independant, although the vendor programmed this service in Java. Now, I have a Virtual IP performing a dynamic redirect port to port: webip:210 -> 172.16.8.13:210 service 210. This works fine, for about a day. After the day is complete, the service nolonger works. I do a netstat -an on the Windows 2003 box - low and behold the majority of the connections to port 210 ARE STILL ESTABLISHED. Some are in various states of closure. I updated the FortiOS:2.80R8 to R10: Still no change in behaviour. I am currently unable to connect a packet capture device to the subnet that this problem occures on, but I can say that it does something to do with TCP resets. My peer on the linux mentioned the following: " What I see on my server is a pattern of RST packets (rather than FIN) that aren' t clearing the sessions on the server." this however, isn' t clear on who is sending the RSTs. I modified part of the fortidevice' s config such as modifying the tcp-halfclose timer, and the timeout commands on specific ports - to no avail. Ideas, please? Many Thanks in advance, Peter
3 REPLIES 3
Darune
New Contributor

Just a really quick guess, but do you have IPS on? Seems to be a cause of more than a few strange problems like this.
Not applicable

Just a really quick guess, but do you have IPS on? Seems to be a cause of more than a few strange problems like this.
Not that I am away of. Is IPS turned on " Globally" or is it set on a per rule basis in the firewall config? If it is per rule, then no - I did not activate the " protection profile" for that rule. Is there a way to turn off ips on a per port basis? Thanks!
Darune
New Contributor

IPS is set in each protection profile, and since you said you weren' t using any, IPS should be in the clear.