Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Amgrim
New Contributor

Problem with session close 5001B

Hi guys, i already have looking every place in internet looking for some answer and i dont have found anything... we are having some problems right now after we have migrate the CP for Fotigate here.

The problem is;

The client send the syn, server respond with syn ack but when they gonna try to finish this session this is what happen;

the client send a FIN ACK to the server

Server respond with other FIN ACK

at this point the fortigate close the session but for the server and client the session is not complete over so

client send a ACK in a answer of this FIN ACK

Fortigate is dropping this ACK because the fortigate dont find any session

server continue trying to finish the session sending a FIN ACK to client;

Some logs i have collect;

 

1653.260982 INPUT_INTERFACE in xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: fin 132800227 ack 2801005612 1653.261006 OUTPUT_INTERFACE out xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: fin 132800227 ack 2801005612 1662.657450 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1662.657477 INPUT_INTERFACE out xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1663.825346 INPUT_INTERFACE in xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: ack 2801005613 1664.915593 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1669.430901 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1678.462661 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228

 

 

and a DEBUG;

 

id=20085 trace_id=2825 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag , seq 132800001, ack 0, win 5840" id=20085 trace_id=2825 func=init_ip_session_common line=4527 msg="allocate a new session-1be32163" id=20085 trace_id=2825 func=iprope_dnat_check line=4619 msg="in-[INPUT_INTERFACE], out-[]" id=20085 trace_id=2825 func=iprope_dnat_check line=4632 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000" id=20085 trace_id=2825 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-152.255.0.54 via OUTPUT_INTERFACE" id=20085 trace_id=2825 func=iprope_fwd_check line=612 msg="in-[INPUT_INTERFACE], out-[OUTPUT_INTERFACE], skb_flags-00800000, vid-0" id=20085 trace_id=2825 func=__iprope_tree_check line=536 msg="gnum-100004, use addr/intf hash, len=4" id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-100004 policy-4, ret-matched, act-accept" id=20085 trace_id=2825 func=__iprope_user_identity_check line=1660 msg="ret-matched" id=20085 trace_id=2825 func=__iprope_check line=2034 msg="gnum-4e20, check-ffffffffa00a9aa2" id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept" id=20085 trace_id=2825 func=__iprope_check line=2053 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=20085 trace_id=2825 func=__iprope_check_one_policy line=2005 msg="policy-4 is matched, act-accept" id=20085 trace_id=2825 func=iprope_fwd_auth_check line=677 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4" id=20085 trace_id=2825 func=fw_forward_handler line=670 msg="Allowed by Policy-4:" id=20085 trace_id=2826 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [S.], seq 2801005556, ack 132800002, win 4380" id=20085 trace_id=2826 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, reply direction" id=20085 trace_id=2826 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE" id=20085 trace_id=2827 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [.], seq 132800002, ack 2801005557, win 5840" id=20085 trace_id=2827 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, original direction" id=20085 trace_id=2828 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [F.], seq 132800227, ack 2801005612, win 5840" id=20085 trace_id=2828 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, original direction" id=20085 trace_id=2829 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605" id=20085 trace_id=2829 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, reply direction" id=20085 trace_id=2830 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [.], seq 132800228, ack 2801005613, win 5840" id=20085 trace_id=2830 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-152.255.0.54 via OUTPUT_INTERFACE" id=20085 trace_id=2830 func=fw_forward_dirty_handler line=310 msg="no session matched" id=20085 trace_id=2831 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605" id=20085 trace_id=2831 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE" id=20085 trace_id=2831 func=fw_forward_dirty_handler line=310 msg="no session matched" id=20085 trace_id=2832 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605" id=20085 trace_id=2832 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE" id=20085 trace_id=2832 func=fw_forward_dirty_handler line=310 msg="no session matched" id=20085 trace_id=2833 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605" id=20085 trace_id=2833 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE" id=20085 trace_id=2833 func=fw_forward_dirty_handler line=310 msg="no session matched"

 

 

Here we have a Fortigate 5001B in version 5.2.3.

 

Any help with this problem will be great

1 REPLY 1
Amgrim
New Contributor

Problem solved.

i made a change in paramter tcp-time-wait timer to 5 seconds and this start work

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors