Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jirka1
Contributor III

Destination Interface unknown-0

Hello experts,

today we deployed FGT200E to part of the network. We terminated two parts of the network - vlan666 and vlan777 - both networks are WiFi and both have DHCP on FGT. DNS is Google DNS Everything works ok, only in the log we have very often a message: Deny-policy violation - dst iface unknow-0. Although it is legitimate traffic to be routed to the internet. No BGP or OSPF is used, NAT is performed on an IP pool on a public IP address.

 

config firewall policy
    edit 26
        set name "UINIFI Guest->WAN"
        set uuid 671a3c32-e734-51e8-b9c2-43cbdf86ab1f
        set srcintf "VLAN777"
        set dstintf "wan1"
        set srcaddr "UNIFI Guest"
        set dstaddr "all"
        set internet-service disable
        set internet-service-src disable
        set rtp-nat disable
        set learning-mode disable
        set action accept
        set status enable
        set schedule "always"
        set schedule-timeout disable
        set service "ALL"
        set dscp-match disable
        set utm-status enable
        set logtraffic all
        set logtraffic-start disable
        set auto-asic-offload enable
        set permit-any-host disable
        set permit-stun-host disable
        set fixedport disable
        set ippool enable
        set poolname "NAT_UniFi_GUEST"
        set session-ttl 0
        set vlan-cos-fwd 255
        set vlan-cos-rev 255
        set wccp disable
        set fsso disable
        set disclaimer disable
        set natip 0.0.0.0 0.0.0.0
        set diffserv-forward disable
        set diffserv-reverse disable
        set tcp-mss-sender 0
        set tcp-mss-receiver 0
        set comments ''
        set block-notification disable
        set replacemsg-override-group ''
        set srcaddr-negate disable
        set dstaddr-negate disable
        set service-negate disable
        set timeout-send-rst disable
        set captive-portal-exempt disable
        set ssl-mirror disable
        set scan-botnet-connections disable
        set dsri disable
        set radius-mac-auth-bypass disable
        set delay-tcp-npu-session disable
        unset vlan-filter
        set profile-type single
        set av-profile ''
        set webfilter-profile "UniFiGuest"
        set dnsfilter-profile ''
        set spamfilter-profile ''
        set dlp-sensor ''
        set ips-sensor ''
        set application-list "UniFiGuest"
        set voip-profile ''
        set icap-profile ''
        set waf-profile ''
        set ssh-filter-profile ''
        set profile-protocol-options "default"
        set ssl-ssh-profile "certificate-inspection"
        set traffic-shaper ''
        set traffic-shaper-reverse ''
        set per-ip-shaper ''
        set nat enable
        set match-vip disable
    next
end

 

# diag debug reset
# diag debug enable
# diag debug flow filter dport 80
# diag debug flow filter saddr 10.9.8.118
# diag debug flow trace start 100


FG200E-xxx # id=20085 trace_id=1 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=1 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=2 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=2 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=2 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=3 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=3 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=3 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=4 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=4 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=4 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=5 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=5 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=5 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=6 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=6 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=6 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=7 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=7 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=7 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=8 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=8 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=8 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=9 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=9 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=10 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=10 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=10 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=11 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=11 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=12 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=12 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=12 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=13 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag , seq 3290449723, ack 0, win 65535"
id=20085 trace_id=13 func=init_ip_session_common line=5544 msg="allocate a new session-0002041f"
id=20085 trace_id=13 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=13 func=fw_forward_handler line=751 msg="Allowed by Policy-26: AV SNAT"
id=20085 trace_id=13 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=13 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=14 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=14 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=14 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=14 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=14 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=15 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag , seq 261364636, ack 0, win 14600"
id=20085 trace_id=15 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=15 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=16 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449724, ack 3398102609, win 1369"
id=20085 trace_id=16 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=16 func=npu_handle_session44 line=1105 msg="Trying to offloading session from VLAN777 to wan1, skb.npu_flag=00000000 ses.state=18052306 ses.npu_state=0x00001008"
id=20085 trace_id=16 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=16 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=17 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=17 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=17 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=18 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364637, ack 1997784959, win 3650"
id=20085 trace_id=18 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=18 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=19 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from local. flag [.], seq 261364838, ack 1997785115, win 3918"
id=20085 trace_id=19 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=19 func=__ip_session_run_tuple line=3277 msg="SNAT 10.9.8.118->62.209.xxx.xxx:53988"
id=20085 trace_id=20 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:53988->157.240.20.15:80) from VLAN777. flag [.], seq 3290449925, ack 3398102765, win 1369"
id=20085 trace_id=20 func=resolve_ip_tuple_fast line=5459 msg="Find an existing session, id-0002041f, original direction"
id=20085 trace_id=20 func=ids_receive line=285 msg="send to ips"
id=20085 trace_id=20 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=21 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=21 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=22 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=22 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=23 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=23 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=23 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=24 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=24 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=24 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=25 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=25 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=25 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=26 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=26 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=26 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=27 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=27 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=27 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=28 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=28 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=28 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=29 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=29 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=29 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=30 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=30 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=30 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=31 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=31 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=31 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=32 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=32 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=32 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=33 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54343->217.198.116.209:80) from VLAN777. flag [F.], seq 1635868461, ack 1120592158, win 1369"
id=20085 trace_id=33 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=33 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=34 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54344->217.198.116.209:80) from VLAN777. flag [F.], seq 1634481069, ack 3196904237, win 1369"
id=20085 trace_id=34 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=34 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=35 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54345->217.198.116.209:80) from VLAN777. flag [F.], seq 2171325436, ack 3457947373, win 1369"
id=20085 trace_id=35 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=35 func=fw_forward_dirty_handler line=335 msg="no session matched"
id=20085 trace_id=36 func=print_pkt_detail line=5384 msg="vd-root:0 received a packet(proto=6, 10.9.8.118:54346->217.198.116.209:80) from VLAN777. flag [F.], seq 2134362341, ack 764246789, win 1369"
id=20085 trace_id=36 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-62.209.xxx.xxx via wan1"
id=20085 trace_id=36 func=fw_forward_dirty_handler line=335 msg="no session matched"

 

I have read a few similar posts, but there is no definitive solution. Does anyone have any idea what else to check? In my opinion, this is a standard setup that always works. FortiOS 6.0.3

Thank you, Jirka

 

1 Solution
emnoc
Esteemed Contributor III

The message is informational and mean things causes destination unknown ?

 

   asymmetrical

   interface  link-state change

   routing path and protocol changes

   vpn state  changes

 

Typically something external to the firewall. It means you have a network, link or path issues

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
27 REPLIES 27
Jirka1
Contributor III

another one

Dave_Hall
Honored Contributor

What do you have assigned to srcaddr "UNIFI Guest"?

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
Jirka1

Dave Hall wrote:

What do you have assigned to srcaddr "UNIFI Guest"?

Hi Dave,

 

config firewall address edit "UNIFI Guest" set uuid 08613f64-e50f-51e8-62a8-6971ca472c8f set color 10 set subnet 10.9.8.0 255.255.254.0 next end

Jirka1
Contributor III

ok, I got information from the TAC that the problem might be in tcp-halfclose-timer. https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36429&sliceId=...

The default value is 120 seconds, so I tried to increase globally for 300 seconds. No change. What's strange is that the FGT81E in the same network with the same configuration (vlan, dhcp) behaves perfectly. Jirka

emnoc
Esteemed Contributor III

Could it be   asymmetrical routing issues?

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jirka1
Contributor III

Hi Ken,  to asymmetric routing is no reason. Box has only one WAN line, static routing (one default route), IP addresses are allocated statically, directly linked to the our core box (ASR1001). There is no reason for such behavior. Only connections to HTTP and HTTPS are affected. Other services are normal.

 

Jirka

 

Dave_Hall
Honored Contributor

What is the type or size of the IP Pool?

 

If I recall a long while back, a similar problem where the IP pool was alternating the source address at some point that it cause the source to no longer match any firewall policies. 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
darwin_FTNT

It could be due to asymmetric route, session expired, or fortigate just received a single tcp packet with fin flag only (the syn packet and the rest are missing).

Take note of the trace_id, it is incremented once per packet received by kernel from network card driver or local processes.

The trace_id is used to track the individual packet in 'diag debug flow' as it is processed by kernel netfilter chain / tcp stack.

Thus diag debug flow is useful to check if the packet is received by fortigate hw ports in the first place (aside from diag sniffer packet) before sent to other utm daemons (not familiar with npu offload code path).  If there are no tcp syn/ack packets, the session will not be created.

The following consecutive packets came from single IP with incremental src port to the same destination webserver.

Since session is null, the packet is logged then just dropped by firewall.

Can enable 'config system setting asymroute' (default is disabled).

Also can send a tcp reset to the clients sending sessionless packet 'config system global reset-sessionless-tcp' (default is disabled)

Can try the following log setting to disable:

config log setting --> log-invalid-packet -->disable.

 

emnoc
Esteemed Contributor III

Yes I agreed and I see  various applications kick out  additional tcp packets when the session is long dead. is it always the same  address and  service ports?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors