Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gvasquezn
New Contributor II

Error tcp-rst-from-client

Hello, I have a problem with my FortiVM FW , some of my ussers from a remote warehouse get conection properly but the next 5 seconds it drop off. It only happens in this warehouse. Policy permits traffic to the VPN host and port 10443. And as I can see in the logs, it has matched in and out.

We have fortigate VM FGVM

imagen (17).pngimagen (16).png

6 REPLIES 6
abarushka
Staff
Staff

Hello,

 

I would recommend to sniff traffic "diag sniffer packet any 'host <destination IP address>' 6 0 a". It may give a hint why client is sending RST packet.

FortiGate
gvasquezn
New Contributor II

Where should i run this diag, in my fortiauthenticator or host were get the reset from client?

 

abarushka

Hello,

 

On FortiGate side (VDOM level if applicable).

FortiGate
Sheikh
Staff
Staff

Hello @gvasquezn 

 

Try increasing the timeout value in the matching firewall policy and see if that helps.

 

# config firewall policy
# edit 1
# set session-ttl 1500
# end

 

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
gvasquezn
New Contributor II

this gave me this mesage.

 

FGVM4VTM23001983 (policy) # edit 1
new entry '1' added

FGVM4VTM23001983 (1) # set session-ttl 1500

FGVM4VTM23001983 (1) # end
Attribute 'srcintf' MUST be set.
Command fail. Return code -56

pminarik
Staff
Staff

The firewall policy itself allowed the traffic, otherwise client-RST could not happen.
Check if you have any relevant UTM profiles enabled in that policy (ID 196 based on the log).

 

If none, then the FortiGate is unlikely to be at fault. You will need to run a packet capture of both sides (as abarushka suggestted) and figure out what's wrong there on the application layer.

 

Given the number of packets sent, my initial random guess would be some issue during early TLS handshake. Not enough bytes for a certificate to be finished sending over, so maybe mismatch in TLS version and/or ciphersuite? Anyway, the pcap will hopefully answer that.

[ corrections always welcome ]
Top Kudoed Authors