- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDDoS
- FortiDAST
- FortiDB
- FortiDNS
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiGate Cloud
- FortiExtender
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- FortiWebCloud
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Problem with session close 5001B
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with session close 5001B
Hi guys, i already have looking every place in internet looking for some answer and i dont have found anything... we are having some problems right now after we have migrate the CP for Fotigate here.
The problem is;
The client send the syn, server respond with syn ack but when they gonna try to finish this session this is what happen;
the client send a FIN ACK to the server
Server respond with other FIN ACK
at this point the fortigate close the session but for the server and client the session is not complete over so
client send a ACK in a answer of this FIN ACK
Fortigate is dropping this ACK because the fortigate dont find any session
server continue trying to finish the session sending a FIN ACK to client;
Some logs i have collect;
1653.260982 INPUT_INTERFACE in xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: fin 132800227 ack 2801005612 1653.261006 OUTPUT_INTERFACE out xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: fin 132800227 ack 2801005612 1662.657450 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1662.657477 INPUT_INTERFACE out xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1663.825346 INPUT_INTERFACE in xxx.xxx.xxx.73.3899 -> xxx.xxx.204.1.900: ack 2801005613 1664.915593 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1669.430901 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228 1678.462661 OUTPUT_INTERFACE in xxx.xxx.204.1.900 -> xxx.xxx.xxx.73.3899: fin 2801005612 ack 132800228
and a DEBUG;
id=20085 trace_id=2825 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag , seq 132800001, ack 0, win 5840"
id=20085 trace_id=2825 func=init_ip_session_common line=4527 msg="allocate a new session-1be32163"
id=20085 trace_id=2825 func=iprope_dnat_check line=4619 msg="in-[INPUT_INTERFACE], out-[]"
id=20085 trace_id=2825 func=iprope_dnat_check line=4632 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=2825 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-152.255.0.54 via OUTPUT_INTERFACE"
id=20085 trace_id=2825 func=iprope_fwd_check line=612 msg="in-[INPUT_INTERFACE], out-[OUTPUT_INTERFACE], skb_flags-00800000, vid-0"
id=20085 trace_id=2825 func=__iprope_tree_check line=536 msg="gnum-100004, use addr/intf hash, len=4"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-100004 policy-4, ret-matched, act-accept"
id=20085 trace_id=2825 func=__iprope_user_identity_check line=1660 msg="ret-matched"
id=20085 trace_id=2825 func=__iprope_check line=2034 msg="gnum-4e20, check-ffffffffa00a9aa2"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=1824 msg="checked gnum-4e20 policy-6, ret-no-match, act-accept"
id=20085 trace_id=2825 func=__iprope_check line=2053 msg="gnum-4e20 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=20085 trace_id=2825 func=__iprope_check_one_policy line=2005 msg="policy-4 is matched, act-accept"
id=20085 trace_id=2825 func=iprope_fwd_auth_check line=677 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-4"
id=20085 trace_id=2825 func=fw_forward_handler line=670 msg="Allowed by Policy-4:"
id=20085 trace_id=2826 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [S.], seq 2801005556, ack 132800002, win 4380"
id=20085 trace_id=2826 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, reply direction"
id=20085 trace_id=2826 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2827 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [.], seq 132800002, ack 2801005557, win 5840"
id=20085 trace_id=2827 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, original direction"
id=20085 trace_id=2828 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [F.], seq 132800227, ack 2801005612, win 5840"
id=20085 trace_id=2828 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, original direction"
id=20085 trace_id=2829 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2829 func=resolve_ip_tuple_fast line=4437 msg="Find an existing session, id-1be32163, reply direction"
id=20085 trace_id=2830 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.xxx.73:3899->xxx.xxx.204.1:900) from INPUT_INTERFACE. flag [.], seq 132800228, ack 2801005613, win 5840"
id=20085 trace_id=2830 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-152.255.0.54 via OUTPUT_INTERFACE"
id=20085 trace_id=2830 func=fw_forward_dirty_handler line=310 msg="no session matched"
id=20085 trace_id=2831 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2831 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2831 func=fw_forward_dirty_handler line=310 msg="no session matched"
id=20085 trace_id=2832 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2832 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2832 func=fw_forward_dirty_handler line=310 msg="no session matched"
id=20085 trace_id=2833 func=print_pkt_detail line=4378 msg="vd-V_CLIENT received a packet(proto=6, xxx.xxx.204.1:900->xxx.xxx.xxx.73:3899) from OUTPUT_INTERFACE. flag [F.], seq 2801005612, ack 132800228, win 4605"
id=20085 trace_id=2833 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-192.168.238.181 via INPUT_INTERFACE"
id=20085 trace_id=2833 func=fw_forward_dirty_handler line=310 msg="no session matched"
Here we have a Fortigate 5001B in version 5.2.3.
Any help with this problem will be great
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved.
i made a change in paramter tcp-time-wait timer to 5 seconds and this start work
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- RDP Sessions randomly dropping over IPSEC... 116 Views
- Fortigate 90G firmware Bugs 194 Views
- AWS tunnel issue 336 Views
- FortiClient VPN stops at 48% with... 488 Views
- 80F Issues with Active FTP 290 Views
Labels
-
FortiGate
7,186 -
FortiClient
1,418 -
5.2
801 -
5.4
639 -
FortiManager
621 -
FortiAnalyzer
458 -
6.0
416 -
FortiAP
376 -
FortiSwitch
375 -
5.6
362 -
FortiClient EMS
291 -
FortiMail
281 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
175 -
FortiNAC
128 -
6.4
128 -
FortiGuard
116 -
IPsec
110 -
SSL-VPN
109 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
89 -
FortiToken
77 -
Customer Service
71 -
Wireless Controller
65 -
4.0MR3
64 -
FortiProxy
49 -
SD-WAN
49 -
FortiEDR
46 -
FortiADC
45 -
Fortivoice
44 -
FortiDNS
39 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiAuthenticator
35 -
Firewall policy
35 -
FortiSandbox
34 -
FortiSwitch v6.4
32 -
VLAN
31 -
High Availability
31 -
DNS
24 -
FortiWAN
24 -
FortiConnect
24 -
ZTNA
23 -
BGP
21 -
LDAP
21 -
FortiConverter
21 -
Certificate
21 -
SAML
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
Routing
18 -
Interface
18 -
FortiSwitch v6.2
17 -
VDOM
17 -
FortiMonitor
15 -
Authentication
15 -
FortiLink
15 -
FortiGate v5.0
14 -
Fortigate Cloud
14 -
FortiDDoS
14 -
Logging
14 -
NAT
13 -
RADIUS
12 -
SSL SSH inspection
12 -
FortiCASB
12 -
Application control
11 -
Web profile
11 -
Traffic shaping
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
SSID
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
WAN optimization
9 -
4.0MR2
9 -
IP address management - IPAM
8 -
FortiBridge
8 -
SNMP
8 -
FortiGate v4.0 MR3
8 -
OSPF
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiAP profile
7 -
4.0
7 -
Admin
7 -
Web application firewall profile
7 -
Static route
6 -
Security profile
6 -
Proxy policy
6 -
Traffic shaping policy
6 -
Automation
6 -
IPS signature
5 -
Packet capture
5 -
DNS Filter
5 -
FortiCache
5 -
FortiManager v4.0
5 -
trunk
5 -
FortiDeceptor
4 -
FortiDirector
4 -
Web rating
4 -
Intrusion prevention
4 -
Port policy
4 -
Antivirus profile
4 -
System settings
4 -
FortiPAM
4 -
FortiCarrier
4 -
FortiTester
4 -
3.6
4 -
DLP sensor
4 -
FortiScan
4 -
Fabric connector
3 -
NAC policy
3 -
Users
3 -
Multicast routing
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
Fortinet Engage Partner Program
3 -
DLP Dictionary
3 -
DLP profile
3 -
FortiDB
3 -
DoS policy
3 -
Email filter profile
3 -
FortiInsight
2 -
Netflow
2 -
Protocol option
2 -
FortiAI
2 -
Application signature
2 -
FortiHypervisor
2 -
VoIP profile
2 -
Internet Service Database
2 -
Explicit proxy
2 -
4.0MR1
1 -
Multicast policy
1 -
Zone
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
FortiNDR
1 -
TACACS
1 -
Replacement messages
1 -
Schedule
1 -
SDN connector
1 -
FortiManager-VM
1 -
Authentication rule and scheme
1 -
Service
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1077 | |
| 892 | |
| 529 | |
| 441 | |
| 152 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.