Hi guys, i already have looking every place in internet looking for some answer and i dont have found anything... we are having some problems right now after we have migrate the CP for Fotigate here.
The problem is;
The client send the syn, server respond with syn ack but when they gonna try to finish this session this is what happen;
the client send a FIN ACK to the server
Server respond with other FIN ACK
at this point the fortigate close the session but for the server and client the session is not complete over so
client send a ACK in a answer of this FIN ACK
Fortigate is dropping this ACK because the fortigate dont find any session
server continue trying to finish the session sending a FIN ACK to client;
Some logs i have collect;
1653.260982 INPUT_INTERFACE in xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: fin 132800227 ack 2801005612 1653.261006 OUTPUT_INTERFACE out xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: fin 132800227 ack 2801005612 1662.657450 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1662.657477 INPUT_INTERFACE out xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1663.825346 INPUT_INTERFACE in xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: ack 2801005613 1664.915593 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1669.430901 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1678.462661 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228
and a DEBUG;
id=20085 trace_id=2825 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag , seq 132800001, ack 0, win 5840"
id=20085 trace_id=2825 func=init_ip_session_common line=4527 msg="allocate a new session-1be32163"
id=20085 trace_id=2825 func=iprope_dnat_check line=4619 msg="in-[INPUT_INTERFACE], out-[]"
id=20085 trace_id=2825 func=iprope_dnat_check line=4632 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=2825 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-152.255.0.54 via OUTPUT_INTERFACE"
id=20085 trace_id=2825 func=iprope_fwd_check line=612 msg="in-[INPUT_INTERFACE], out-[OUTPUT_INTERFACE], skb_flags-00800000, vid-0"
id=20085 trace_id=2825 func=__iprope_tree_check line=536 msg="gnum-100004, use addr/intf hash, len=4"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=2825 func=__iprope_user_identity_check line=1660 msg="ret-matched"
id=20085 trace_id=2825 func=__iprope_check line=2034 msg="gnum-4e20, check-ffffffffa00a9aa2"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=2825 func=__iprope_check line=2053 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=2005 msg="policy-4 is matched, act-accept"
id=20085 trace_id=2825 func=iprope_fwd_auth_check line=677 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=20085 trace_id=2825 func=fw_forward_handler line=670 msg="Allowed by Policy-4:"
id=20085 trace_id=2826 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [S.], seq 2801005556, ack 132800002, win 4380"
id=20085 trace_id=2826 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, reply direction"
id=20085 trace_id=2826 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2827 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [.], seq 132800002, ack 2801005557, win 5840"
id=20085 trace_id=2827 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, original direction"
id=20085 trace_id=2828 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [F.], seq 132800227, ack 2801005612, win 5840"
id=20085 trace_id=2828 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, original direction"
id=20085 trace_id=2829 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2829 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, reply direction"
id=20085 trace_id=2830 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [.], seq 132800228, ack 2801005613, win 5840"
id=20085 trace_id=2830 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-152.255.0.54 via OUTPUT_INTERFACE"
id=20085 trace_id=2830 func=fw_forward_dirty_handler line=310 msg="no session matched"
id=20085 trace_id=2831 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2831 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2831 func=fw_forward_dirty_handler line=310 msg="no session matched"
id=20085 trace_id=2832 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2832 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2832 func=fw_forward_dirty_handler line=310 msg="no session matched"
id=20085 trace_id=2833 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2833 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2833 func=fw_forward_dirty_handler line=310 msg="no session matched"
Here we have a Fortigate 5001B in version 5.2.3.
Any help with this problem will be great
Problem solved.
i made a change in paramter tcp-time-wait timer to 5 seconds and this start work
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.