Hi there!

I have a setup where I would like to allow ICMP port unreachable packets, even though there is no matching session in the 'diag sys session list' table. FortiOS 5.4.3, with NP6.

An old KB document states this http://kb.fortinet.com/kb/viewContent.do?externalId=FD31338&sliceId=1 :

"For ICMP error messages, there is an implicit processing, where only those reporting an error for an existing session can pass through the firewall. Otherwise, the packets are dropped. Common error messages could be:

- Destination Unreachable Messages - Time Exceeded Messages - Redirect Messages"

I would like to change / work around this behaviour.

host-A : 10.243.90.224

host-B : 10.172.0.2

On host-A, I issue mtr -u 10.172.0.2

-u makes mtr use UDP instead of ICMP, which will select random ports to try to use all available (ECMP) paths.

Example packet being sent as a response from host-B (that doesn't have this port open): 14:11:55.453305 IP 10.172.0.2 > 10.243.90.224: ICMP 10.172.0.2 udp port 38175 unreachable, length 72

The problem is that since I have multiple paths going via different FortiGates, there will be no entry in the session table for *some* of the returning ICMP port unreachable responses. Hence, the FortiGate will drop it. It looks like this in a debug flow:

id=20085 trace_id=160 func=print_pkt_detail line=4793 msg="vd-vpn received a packet(proto=1, 10.172.0.2:0->10.243.90.224:771) from VPN_0. type=3, code=3, id=0, seq=0."

A working (= ICMP unreachable actually being forwarded) debug flow looks like this - two messages instead of just one:

id=20085 trace_id=161 func=print_pkt_detail line=4793 msg="vd-vpn received a packet(proto=1, 10.172.0.2:0->10.243.90.224:771) from VPN_0. type=3, code=3, id=0, seq=0." id=20085 trace_id=161 func=vf_ip_route_input_common line=2586 msg="find a route: flag=00000000 gw-10.240.226.68 via port28"

Has anyone run into the same thing, and how have you solved it? Thanks in advance!