Hello,
One of our customers migrate from 5.2.10 to 5.4.4.
After this migration, packets with SYN+ECN+CWR flags set were silently drops by the Firewall.
In order to solve this issue, we had to disable ECN congestion on the client.
https://ask.wireshark.org/questions/32067/many-many-tcp-out-of-order-dup-acks-and-retransmissions
Netsh interface tcp set global ecncapability=disabled
Is it a known issue with Fortigate FW ??
Any command to disable this check ??
Regards,
HA
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Only workaround is to disable Offloading (to the ASIC) on IPsec interface.
Regards,
HA
I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.
Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.
As I said I haven't tested it yet so if you try it, let us know. Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.
Bringing this old thread back up to report the same issue has reappeared in 7.2.x, the same workaround works as well, ie. disable npu-offloading on p1 ipsec. From our testing this affects the ingress ipsec tunnel interface. Tested in 7.2.5 and 7.2.6
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.