Hi Everybody,
I'm new on Fortigate but i've been following this forum since when we started using them in my company and I've always found usefull help on some issues that we have had.
Right now I've serach a lot in the last few days but I was unable to find some hint that can help me figure out something.
The current infrastracture of my company in based on VPN Site-to-Site throught the varius branch sites of my company to the HQ. Right now we are at 90% of the migration of all our branches from the old firewalls to fortigate.
In the HQ we have two fortigate 100E, in the minor brach sites we have 50E and in the middle level branchesites we have 60E.
The issues I'm having is only in the branch sites with Fortigate 60E, specifically we have 4 branchsites with a little difference.
Two of the branch sites have the software version 6.4.2 and the other two have the 6.4.3 (We have updated after some issues with the HA).
Only the two sites with the 6.4.3 have the issues so I think is some bug or some missconfiguration that we made on this version of the SO.
The collegues in the Branchsites works with RDSWeb passing on the VPN tunnel. I've already put a rule that specify no control on the RDP Ports if the traffic is "intra-lan".
During the work day I can see some random event on the Forward Traffic Log, it seems like the connection of the client is dropped due to inactivity. In the log I can see, under the Action voice, "TCP reset from server" but I was unable to find the reason bihind it. When this event appen the collegues lose the connection to the RDS Server and is stuck in is work until the connection is back (Sometimes is just a one sec wait, so they just see the screen "refreshing", other times is a few minutes")
I thank you all in advance for your help e thank you for ready this textwall. I'm sorry for my bad English but i'm a little bit rusty.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Got similar issue - however it's not refer to VPN connections (mean not only) but LAN connections (different VLAN's). Has anyone reply to this ?
Regards
Hi Sama,
You may refer to this KB
https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/491762/firewall-policy-policy6
enable timeout-send-rst on firewall policy and increase the ttl session to 7200
#config firewall policy
# edit <ID>
# set timeout-send-rst enable
# set session-ttl 7200
# end
I have also seen something similar with Fortigate. Fortigate sends client-rst to session (althought no timeout occurred). Some traffic might not work properly. As a workaround we have found, that if we remove ssl(certificate)-inspection from rule, traffic has no problems.
We observe the same issue with traffic to ec2 Instance from AWS. If we disable the SSL Inspection it works fine. :\
Are you using a firewall policy that proxies also?
have you been able to find a way around this? I've been tweaking just about every setting in the CLI with no avail. It also works without the SSL Inspection enabled.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.