Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FedeS
New Contributor II

Created on ‎04-16-2025 04:01 AM Edited on ‎04-16-2025 06:32 AM

Fortigate 60E blocks keepalive messages

Hello,

my company has a web service that sends keepalive messages every 20seconds, the web server is out of our network, it is on Azure Cloud.

If i send keepalive from my network the messages I sent don't arrive on the server

If i send keepalive out of my network (with a notebook connected to my phone), I can see the keepalive messages on the server.

To sniff the traffic on the sever I used wireshark.

On the firewall I can't see the keppalives going through.

 

Thank you!

 

Labels:
1169
0 Kudos
10 REPLIES 10
syordanov
Staff
Staff

Created on ‎04-16-2025 06:56 AM

Hello FedeS,

 

To narrow down the problem, first step is do do a sniffer for the keepalive messages on the FortiGate, use the sniffer bellow :

 

diagnose sniffer packet any " host x.x.x.x " 4 0 l <---- replace x.x.x.x with the IP address of web service

This will show is the traffic is received on FortiGate and forwarded to the ISP/WAN interface.
Additionally , you could check the session list if the session is created using the commands bellow :

 

diag sys session filter dst XXXXX.XXXXX.XXXX.XXXX <---- destination IP/web servuce

diag sys session filter dport XXX <----

diag sys session list


 

Best regards,

 

Fortinet

.
1030
FedeS
New Contributor II
In response to syordanov

Created on ‎04-16-2025 07:28 AM

Hi Syordanov and thanks for your reply!

In wireshark I see clearly when a packet is keepalive or not

 

keepalive.png

 

Is there a way to see them clearly also on Fortigate? 

 

With traffic sniffer I can see psh and ack, and I suppose they are keepalive messages

 

Thank you!



1023
0 Kudos
syordanov
Staff
Staff
In response to FedeS

Created on ‎04-16-2025 07:56 AM

Hello FedeS,

 

Is this Wireshark output taken on FortiGate or clould provider?

Did you get the output from the session list? From there we can see if the session is created/allowed on FortiGate.

I think this TCP Kee-Alive is for already established session, which means that the 3 way handshake is established.

 

Best regards,

Fortinet

.
1014
FedeS
New Contributor II
In response to syordanov

Created on ‎04-17-2025 02:49 AM

Hi syordanov, the wireshark output is taken on local client 192.168.x.154 (the client that sent the keepalive messages).

The image below shows output from "session filter dst x.x.x.x" and "session list"

I modified the ip addresses, I hope it's clear anyway

KeepaliveIn_diag sys session list.png

Thank you!

926
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to FedeS

Created on ‎04-16-2025 09:59 AM

Hi @FedeS ,

 

It seems that the Keepalive packets are using port 50007 talking to the web server port 443.

 

So if you can see such packets in the sniffer packet capture on FGT, that means we can see them on FGT.

 

Since FGT 60E is NP6LITE-based, you may need to disable the "auto-asic-offload" setting in the relevant firewall policy to see packets in the outputs of the sniffer packet capture.

Regards,

Jerry
977
FedeS
New Contributor II
In response to dingjerry_FTNT

Created on ‎04-17-2025 02:55 AM

Hi dingjerry_FTNT,

how can I see if my FGT is NP6LITE-based?

Where is the "auto-asic-offload" setting? 

Thank you!

924
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to FedeS

Created on ‎04-17-2025 07:23 AM

Hi @FedeS ,

 

1) "how can I see if my FGT is NP6LITE-based?"

 

Run this command, you will tell:

 

# diagnose hardware deviceinfo nic <interface_name>

 

For example, if you have wan1 interface:

 

diagnose hardware deviceinfo nic wan1

 

It may show something as below:

Description :FortiASIC NP6XLITE Adapter
Driver Name :FortiASIC NP6XLITE Driver

 

2) "Where is the "auto-asic-offload" setting? "

 

config firewall policy

edit <policy_ID>   // It most likely is policy ID #1 according to the output of session list you provided

set auto-asic-offload disable

end

 

Once you are done with the sniffer capture, enable the setting again.

 

 

 

Regards,

Jerry
895
0 Kudos
FedeS
New Contributor II
In response to dingjerry_FTNT

Created on ‎04-23-2025 07:10 AM

Hi dingjerry_FTN, below the output after the command:
"diagnose hardware deviceinfo nic wan1"  

 

Keepalive deviceinfo command.png

After disablig auto-asic-offload, I still didn't see keepalive messages on the webserver.

The strange thing is that I don't even see packets blocked by the firewall.

Could I try with the debug commands?

 

Thank you!

 

773
0 Kudos
dingjerry_FTNT
Staff
Staff
In response to FedeS

Created on ‎04-23-2025 07:32 AM Edited on ‎04-23-2025 07:32 AM

Hi @FedeS ,

 

Disabling ASIC offloading is NOT to fix the issue (Although it may fix the issue if the issue is due to NPU offloading).  It is to allow us to see the packets in sniffer packets capture on FGT.

 

So next step for you is to run the sniffer packet capture on FGT for the keepalive packets.

 

Do the keepalive packets use a special port?  Does it use port 52076?

 

If you have the port info, run the following sniffer packet capture:

 

diag sniffer packet any 'host x.x.x.x and port 52076' 4   //  x.x.x.x is the server IP, and you may change the port if it is using another one

 

If you don't know what port, run the following:

 

diag sniffer packet any 'host x.x.x.x and host y.y.y.y' 4  // x.x.x.x is the server IP and y.y.y.y is the client IP

 

Regards,

Jerry
768
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.