Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HS08
New Contributor II

Application Not Working

Hello,

I troubleshoot for an application which this application cannot running, when i see on fortigate log i can see many record with result 'Accept(Start)' but not traffic counted.

Anyone know why this record not showing traffic counted?

 

Capture.JPG

3 REPLIES 3
rosatechnocrat
Contributor II

@HS08 Accept(Start) is recorded when initial syn or first packet is received.  But if there is no response back from the server or destination the action may not be changed. 

 

>> Try to add column received bytes in logs and see if there is response traffic from destination.
>> Issue could be because of routing or destination server not replying. 

>> Can also be confirmed by taking capture. 

diag sniffer packet any 'host 149.34.253.165 and host 10.100.50.141' 4 0 

 

For your reference only: 

 

- action start is for the start of session (icmp or udp or TCP)
- action accept is for the end of an icmp or udp (unicast) session
- action close is for the end of tcp session closed with a fin/fin-ack (and I suppose it is a same with a rst)
- action timeout is for the end of a tcp session which is closed because it was idle

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
srajeswaran
Staff
Staff

I think you have enabled "Generate Logs when Session Starts" under the firewall policy. With this setting there will be a log as soon as the session is initiated and there won't be any traffic data. The traffic data sent/receive will be coming in upcoming logs (session close if the session is closed with in 2 minutes or the delata logs if the session is longer than 2 minutes).

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-the-session-to-start-logging...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
vsahu
Staff
Staff

Hello HS08,

 

The session start is just the info regarding the session has started, if you open the same log you'll see a session Id, Filter the logs using that and you'll be able to see the same session two logs one as session start and one with the data count.

The status field has the following value:
▶ start: the traffic session started
▶ accept: the normal traffic is pass-through
▶ deny: the normal traffic is denied by firewall policy, (not utm proflie)
▶ close/timeout: the traffic session finished
However, there are some different meanings between close and timeout.
the close occurs when traffic sessions are finished normally.
Otherwise, the HTTPS/SSH requests went to the destination but did not receive - reply, thus timeout occurred.

When log traffic-start is disabled you will only see status=close/timeout for the TCP session (it will not show the start of the session)
The start logs will only generate when logtraffic-start is enabled and it's a per policy configuration.

configure firewall policy
edit <policy_id>
set logtraffic-start enable
next

Regards,
Vishal
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors