Hello,
One of our customers migrate from 5.2.10 to 5.4.4.
After this migration, packets with SYN+ECN+CWR flags set were silently drops by the Firewall.
In order to solve this issue, we had to disable ECN congestion on the client.
https://ask.wireshark.org/questions/32067/many-many-tcp-out-of-order-dup-acks-and-retransmissions
Netsh interface tcp set global ecncapability=disabled
Is it a known issue with Fortigate FW ??
Any command to disable this check ??
Regards,
HA
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Only workaround is to disable Offloading (to the ASIC) on IPsec interface.
Regards,
HA
I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.
Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.
As I said I haven't tested it yet so if you try it, let us know. Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.
under config sys global what do you have for protocol checks
e.g
set check-protocol-header loose or strict
I would start at that point. Since the SYN packets have the tcp-options, we need a way to fix up TCP-SYN or SYN-ACKs. Most open source firewall have the means to scrub or clean tcp.flags iptables,PF,etc.....
http://socpuppet.blogspot...ring-bad-tcpflags.html
PCNSE
NSE
StrongSwan
Hi,
First, thanks for your help.
Unfortunately, check-protocol-header is already set to 'loose'...
anti-replay : disable
asymroute : enable
tcp-session-without-syn: enable
Any other idea ??
Hi
We have the same thing.
It's a confirmed bug, specifically
"Bug #0240576 : NP6 packet sanity check considers wrongly SYN with ECN and/or CWR as an incorrect packet."
Disabling ECN works but that's not a very useful work around when dealing with third parties.
Makes VPNs with 5.4.4 mostly useless.
Hi Chris,
Thanks for the info !
Two questions now.
Does this bug affect all FortiOS release or is it limited to 5.4.4 ?
Where can I find a bug list of Fortigate device ??
Regards,
HA
I'm afraid I don't have that information.
AFAIK Fortinet do not publish their bug list unlike say Cisco (to be fair even Cisco don't publish all their bugs).
You will have to push your account manager if you have one or raise a support case if you can.
Anyone with more details regarding this bug?
Can´t see anything in the release notes for 5.4.5.
Experiencing the same issue over an IPSEC between a Fortigate 1500D (NP6) running 5.4.5 and one 100E (SoC) running 5.4.4.
Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden
robin.svanberg@ethersec.se
Hi,
Only workaround is to disable Offloading (to the ASIC) on IPsec interface.
Regards,
HA
I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.
Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.
As I said I haven't tested it yet so if you try it, let us know. Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.
We are running 5.4.5 on 60E/200E/80E -> issues persists. ENC flagged packets over Ipsec tunnels are discarded.
Planning upgrade to 5.4.7 soon. Wonder if anybody tested if it is fixed there?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.