Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Disable TCP SYNC check
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Not applicable
Created on 08-13-2008 06:23 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disable TCP SYNC check
Hi
Does anyone know how to disable the TCP SYNC check on a frotigate 50B?
The fortigate acts as default gateway for the majority of traffic. However i need to bounce some traffic to a different gateway on the same internal subnet.
This works fine for ICMP traffic but not TCP. This i beleive is due to the fact traffic takes a different return path since on return there is no need to bounce through the fortigate.
I had a similar issue when doing this with a netscreen but was able to resolve the issue by disable TCP SYNC check. Since firewals monitor TCP sessions and if packets try and pass out of sequence or with no SYNC flag then they are dropped.
thanks
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i havent seen this issue with any of my installs, which are configured like this. i presume you are using a static route for that traffic and NOT policy routing?
Should work fine, are you sure it isn' t a client firewall thats dropping it?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a INT -> INT rule to allow the traffic by the way?
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 08-14-2008 02:00 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response.
Yes we do have a static route on the fortigate for the target subnet.
Yes we do have a rule internal to internal allow all any
No client firewall being used and tried on multiple machines
I have checked all DoS settigns and have no protection profiles so assuming no IPS is being applied (even through i created one and disabled all and applied just in case).
Im going to have a closer look at the cisco unit. As it stands TCP connection attempt results in the following:
Initiator: TCP ESTABLISHED
Fortigate: TCP ESTABLISHED
Receivor: TCP SYN_RECEIVED
By this i am led to beleive that the final ACK (for TCP handshake) from the initiator is not reaching the receiver (hence TCP SYN_RECEIVED). being blocked by either the fortigate or cisco due to the different return path.
Will check cisco device over.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the fortinet has a packet sniffer, which is useful in these scenarios. example usage below;
diag sniff packet internal ' host 192.168.1.10'
or
diag sniff packet internal ' icmp'
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 08-14-2008 02:33 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes very handy. Used the packet sniffer to verify the return flow of traffic was not passing through the firewall.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
should still work though, as the host thats pinging should still receive the replies.
i havent come across this issue before, without it being a routing or client firewall issue.
And make sure you have NAT Disabled on the INT -> INT policy.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 08-14-2008 07:05 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I beleive this problem can be refered to as an asymetric routing issue. I have tried to disable SPI using ' set asymroute enable' command but this had no affect. However i could not try reboot.
No i do not have NAT set on the firewall policy.
Also you are correct in that ping should work. As stated earlier ICMP works fine. This confirms that at a routing level everything is fine which just points to a possible IPS, DoS or AV problem at a higher level.
I have tried many different clients and appolagies as forgot to mention something important. This problem only occurs on Vista/2008. After a round of testing i found that for some strange reason windows XP machines automatically create a host route entry to the remote device pointing it to the other gateway (bypassing the fortigate).
So for example. Check routing table on xp machine and only the usual + default gateway exists (no routes to remote subnet). After ping (or any traffic at that matter) i check the routing table and magically a new route has been added for the remote HOST (not subnet) which bypasses the windows xp machines default gateway and goes straight to the second gateway.
Im thinking that the only solution to this problem is to publish a route to all clients via DHCP. Forcing them to bypass the fortigate for that particular subnet. Didnt really want to do this though.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The new route is called an ICMP redirect and is normal behavior, its basically the fortinet telling the client there is a better route to use.
And this isn' t asymmetrical routing, thats when the return traffic comes back through a different route via an stateful inspection device, like the fortigate.
UK Based Technical Consultant
FCSE v2.5
FCSE v2.8
FCNSP v3
Specialising in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT experience.
UK Based Technical Consultant FCSE v2.5 FCSE v2.8 FCNSP v3 Specialising
in Systems, Apps, SAN Storage and Networks, with over 25 Yrs IT
experience.
Not applicable
Created on 08-14-2008 07:45 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very interesting. I have just checked ICMPRedirect on the Vista machine and this is enable. However the vista machine does not modify its routing in the way expected. Im guesssing some new security feature in vista. Just to be sure i tried a different vista machine with fresh install, no AV and windows firewall OFF. no luck
Anyway, moving on. The issue remains and only solution at present is to bypass the fortigate.
I agree, the term ' asymetric routing' usually refers to a complety different return route. However a similar issue to mine is documented in a fortinet technical note on page 6:
http://kc.forticare.com/tmp/2008-8-14_5-48_9643_183_01-28005-0113-20040928_v2.80_Asymmetric_Routing_&_Layer-2_Tech_Note.pdf
I have logged a call with fortnet and will post the fix
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Why does policy-id-6 appear? What is... 284 Views
- How to achieve zero packet loss... 334 Views
- What FortiOS Event Logs should i... 816 Views
- FortiADC disconnected interfaces in vmware 718 Views
- Fortiswitch 108e showing offline 1242 Views
Labels
-
FortiGate
8,048 -
FortiClient
1,614 -
5.2
801 -
FortiManager
679 -
5.4
639 -
FortiAnalyzer
516 -
FortiAP
425 -
FortiSwitch
424 -
6.0
416 -
FortiClient EMS
365 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
188 -
SSL-VPN
176 -
FortiNAC
162 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
93 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
25 -
Authentication
25 -
FortiWAN
24 -
FortiConverter
24 -
RADIUS
24 -
FortiGate v5.2
23 -
VDOM
23 -
FortiLink
23 -
Web profile
21 -
Virtual IP
20 -
Application control
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
FortiMonitor
16 -
Traffic shaping
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1500 | |
| 1009 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.