- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Drops a package that should not drop by policy.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Drops a package that should not drop by policy.
Hi, here is my policy in a 200B (see attachment)
Feb 18 12:26:40 192.168.x.x date=2015-02-18,time=12:27:55,devname=FG200B3910604xx,device_id=FG200B3912603xx,log_id=00 38000007,type=traffic,subtype=other,pri=warning,vd=root,src=192.168.x.x,src_port=51488,
src_int="portX",dst=200.40.28.16 8,dst_port=443,dst_int="portY",SN=57905425,
status=deny,policyid=8,dst_country="Uruguay",src_country="Reserved",
service=HTTPS,proto=6,duration=18,sent=0,rcvd=0,msg="replay packet(allow_err), drop"
i dont understand why drop this packet? Can you tell me about msg="replay packet(allow_err), drop" ?
Thanks
Martín.
Solved! Go to Solution.
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Your policy is number 10, the one which is blocking the traffic is number 8. Policy number 10 must be above number 8 in order to make this one be applied first.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
replay packet(allow_err)
I believe this means the packet sequence number was out of the window range so firewall dropped it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin.germano wrote:
Hi, here is my policy in a 200B (see attachment)
[attachImg]https://forum.fortinet.com/download.axd?file=0;120491&where=message&f=policy.jpg[/attachImg]
Feb 18 12:26:40 192.168.x.x date=2015-02-18,time=12:27:55,devname=FG200B3910604xx,device_id=FG200B3912603xx,log_id=00 38000007,type=traffic,subtype=other,pri=warning,vd=root,src=192.168.x.x,src_port=51488,
src_int="portX",dst=200.40.28.16 8,dst_port=443,dst_int="portY",SN=57905425,
status=deny,policyid=8,dst_country="Uruguay",src_country="Reserved",
service=HTTPS,proto=6,duration=18,sent=0,rcvd=0,msg="replay packet(allow_err), drop"
i dont understand why drop this packet? Can you tell me about msg="replay packet(allow_err), drop" ?
Thanks
Martín.
" replay packet(allow_err), drop " This message is part of the TCP sequence checking The anti-replay CLI command allows you to set the level of checking for packet replay and TCP sequence checking (or TCP Sequence (SYN) number checking). All TCP packets contain a Sequence Number (SYN) and an Acknowledgement Number (ACK). The TCP protocol uses these numbers for error free end-to-end communications. TCP sequence checking can also be used to validate individual packets. FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behaviour, since it means that the packet is invalid. But in some cases you may want to configure different levels of anti-replay checking if some of your network equipment uses non-RFC methods when sending packets. Configure the anti-replay CLI command: config system global set anti-replay {disable | loose | strict} end You can set anti-replay protection to the following settings: • disable — No anti-replay protection. • loose — Perform packet sequence checking and ICMP anti-replay checking with the following criteria: • The SYN, FIN, and RST bit can not appear in the same packet. • The FortiGate unit does not allow more than one ICMP error packet through before it receives a normal TCP or UDP packet. • If the FortiGate unit receives an RST packet, and check-reset-range is set to strict, the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect. • strict — Performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding. If any packet fails a check it is dropped.
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
Your policy is number 10, the one which is blocking the traffic is number 8. Policy number 10 must be above number 8 in order to make this one be applied first.
Regards.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, this is policy 8:
(SSL authentication)
But, can't match here !! Because Port9(inside) - To - Port6 (internet)
This is wrong
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Martin, Just to be sure that is not an misunderstanding.....
In the first post you attach a capture from GUI ... the '10' is referred to the policy ID or to the policy Seq. ? The debug indicate that the traffic is dropped by the policy ID 8. "status=deny,policy id=8" So, try to understand if policy seq.10 is the policy id 8. To see the policy ID in GUI you must add the field or you can just see the edit number in CLI.
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rdumitrescu wrote:Hi Martin, Just to be sure that is not an misunderstanding.....
In the first post you attach a capture from GUI ... the '10' is referred to the policy ID or to the policy Seq. ? The debug indicate that the traffic is dropped by the policy ID 8. "status=deny,policy id=8" So, try to understand if policy seq.10 is the policy id 8. To see the policy ID in GUI you must add the field or you can just see the edit number in CLI.
Regards
Hi dumitrescu, you are right I was refered to policy id by GUI, that is not the same from CLI. I don't know why.
thanks.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin.germano wrote:rdumitrescu wrote:Hi Martin, Just to be sure that is not an misunderstanding.....
In the first post you attach a capture from GUI ... the '10' is referred to the policy ID or to the policy Seq. ? The debug indicate that the traffic is dropped by the policy ID 8. "status=deny,policy id=8" So, try to understand if policy seq.10 is the policy id 8. To see the policy ID in GUI you must add the field or you can just see the edit number in CLI.
Regards
Hi dumitrescu, you are right I was refered to policy id by GUI, that is not the same from CLI. I don't know why.
thanks.
It should be the Sequence number and not the actual ID.
On the GUI, Firewall policies will be displayed by default with the column 'Sequence' and if I am not wrong '10' should be sequence number.
- To confirm the actual ID, you can add the column 'ID' on the GUI under Firewall > Policy > Right click on the columns and select the ID
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
replay packet(allow_err)
I believe this means the packet sequence number was out of the window range so firewall dropped it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
martin.germano wrote:
Hi, here is my policy in a 200B (see attachment)
[attachImg]https://forum.fortinet.com/download.axd?file=0;120491&where=message&f=policy.jpg[/attachImg]
Feb 18 12:26:40 192.168.x.x date=2015-02-18,time=12:27:55,devname=FG200B3910604xx,device_id=FG200B3912603xx,log_id=00 38000007,type=traffic,subtype=other,pri=warning,vd=root,src=192.168.x.x,src_port=51488,
src_int="portX",dst=200.40.28.16 8,dst_port=443,dst_int="portY",SN=57905425,
status=deny,policyid=8,dst_country="Uruguay",src_country="Reserved",
service=HTTPS,proto=6,duration=18,sent=0,rcvd=0,msg="replay packet(allow_err), drop"
i dont understand why drop this packet? Can you tell me about msg="replay packet(allow_err), drop" ?
Thanks
Martín.
" replay packet(allow_err), drop " This message is part of the TCP sequence checking The anti-replay CLI command allows you to set the level of checking for packet replay and TCP sequence checking (or TCP Sequence (SYN) number checking). All TCP packets contain a Sequence Number (SYN) and an Acknowledgement Number (ACK). The TCP protocol uses these numbers for error free end-to-end communications. TCP sequence checking can also be used to validate individual packets. FortiGate units use TCP sequence checking to make sure that a packet is part of a TCP session. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. This is normally a desired behaviour, since it means that the packet is invalid. But in some cases you may want to configure different levels of anti-replay checking if some of your network equipment uses non-RFC methods when sending packets. Configure the anti-replay CLI command: config system global set anti-replay {disable | loose | strict} end You can set anti-replay protection to the following settings: • disable — No anti-replay protection. • loose — Perform packet sequence checking and ICMP anti-replay checking with the following criteria: • The SYN, FIN, and RST bit can not appear in the same packet. • The FortiGate unit does not allow more than one ICMP error packet through before it receives a normal TCP or UDP packet. • If the FortiGate unit receives an RST packet, and check-reset-range is set to strict, the FortiGate unit checks to determine if its sequence number in the RST is within the un-ACKed data and drops the packet if the sequence number is incorrect. • strict — Performs all of the loose checking but for each new session also checks to determine of the TCP sequence number in a SYN packet has been calculated correctly and started from the correct value for each new session. Strict anti-replay checking can also help prevent SYN flooding. If any packet fails a check it is dropped.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortiswitch NAC user policy identification 92 Views
- How to perform special internet access... 146 Views
- FortiClient VPN stops at 48% with... 261 Views
- Change users default policy in FortiCloud... 55 Views
- FortiGate drops traceroute UDP 128 Views
Labels
-
FortiGate
7,162 -
FortiClient
1,414 -
5.2
801 -
5.4
639 -
FortiManager
620 -
FortiAnalyzer
456 -
6.0
416 -
FortiAP
376 -
FortiSwitch
373 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
115 -
IPsec
107 -
SSL-VPN
103 -
FortiGateCloud
97 -
FortiSIEM
93 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
48 -
FortiADC
45 -
FortiEDR
44 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
FortiSandbox
34 -
Firewall policy
33 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
FortiConverter
21 -
Certificate
20 -
SAML
19 -
FortiGate v5.2
19 -
LDAP
19 -
FortiPortal
18 -
Interface
18 -
FortiSwitch v6.2
17 -
Routing
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiGate v5.0
14 -
FortiLink
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
SSL SSH inspection
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Multicast routing
3 -
System settings
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Users
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1062 | |
| 889 | |
| 527 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.