Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HA
Contributor

Fortigate running 5.4.4 drop packet with SYN+ECN+CWR flags enabled

Hello,

 

One of our customers migrate from 5.2.10 to 5.4.4.

After this migration, packets with SYN+ECN+CWR flags set were silently drops by the Firewall.

In order to solve this issue, we had to disable ECN congestion on the client.

https://ask.wireshark.org/questions/32067/many-many-tcp-out-of-order-dup-acks-and-retransmissions

Netsh interface tcp set global ecncapability=disabled

 

Is it a known issue with Fortigate FW ??

Any command to disable this check ??

 

Regards,

 

HA

 

 

 

2 Solutions
HA

Hi,

 

Only workaround is to disable Offloading (to the ASIC) on IPsec interface.

 

Regards,

 

HA

View solution in original post

ChrisDavis
New Contributor II

I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.

 

Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.

 

As I said I haven't tested it yet so if you try it, let us know.  Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.

View solution in original post

11 REPLIES 11
Maik
New Contributor II

fixed and tested in 5.4.6
simonorch
Contributor

Bringing this old thread back up to report the same issue has reappeared in 7.2.x, the same workaround works as well, ie. disable npu-offloading on p1 ipsec. From our testing this affects the ingress ipsec tunnel interface. Tested in 7.2.5 and 7.2.6

NSE8 Fortinet Expert partner - Norway

NSE8 Fortinet Expert partner - Norway
Labels
Top Kudoed Authors