Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Sama94
New Contributor

Random TCP Reset on session Fortigate 6.4.3

Hi Everybody,

I'm new on Fortigate but i've been following this forum since when we started using them in my company and I've always found usefull help on some issues that we have had.

Right now I've serach a lot in the last few days but I was unable to find some hint that can help me figure out something.

 

The current infrastracture of my company in based on VPN Site-to-Site throught the varius branch sites of my company to the HQ. Right now we are at 90% of the migration of all our branches from the old firewalls to fortigate.

In the HQ we have two fortigate 100E, in the minor brach sites we have 50E and in the middle level branchesites we have 60E.

The issues I'm having is only in the branch sites with Fortigate 60E, specifically we have 4 branchsites with a little difference.

Two of the branch sites have the software version 6.4.2 and the other two have the 6.4.3 (We have updated after some issues with the HA).

Only the two sites with the 6.4.3 have the issues so I think is some bug or some missconfiguration that we made on this version of the SO.

 

The collegues in the Branchsites works with RDSWeb passing on the VPN tunnel. I've already put a rule that specify no control on the RDP Ports if the traffic is "intra-lan".

 

During the work day I can see some random event on the Forward Traffic Log, it seems like the connection of the client is dropped due to inactivity. In the log I can see, under the Action voice, "TCP reset from server" but I was unable to find the reason bihind it. When this event appen the collegues lose the connection to the RDS Server and is stuck in is work until the connection is back (Sometimes is just a one sec wait, so they just see the screen "refreshing", other times is a few minutes")

I thank you all in advance for your help e thank you for ready this textwall. I'm sorry for my bad English but i'm a little bit rusty.

5 REPLIES 5
KrzysztofPL
New Contributor

Got similar issue - however it's not refer to VPN connections (mean not only) but LAN connections (different VLAN's). Has anyone reply to this ?

 

Regards 

btan
Staff
Staff

Hi Sama,

 

You may refer to this KB

https://community.fortinet.com/t5/FortiGate/Technical-Note-Configure-the-FortiGate-to-send-TCP-RST-p...

https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/491762/firewall-policy-policy6

 

enable timeout-send-rst on firewall policy and increase the ttl session to 7200

 

#config firewall policy
# edit <ID>
#  set timeout-send-rst enable

#  set session-ttl 7200

#  end


Regards,
Bon
Arzka
New Contributor II

I have also seen something similar with Fortigate. Fortigate sends client-rst to session (althought no timeout occurred). Some traffic might not work properly. As a workaround we have found, that if we remove ssl(certificate)-inspection from rule, traffic has no problems.

macnotiz
New Contributor

We observe the same issue with traffic to ec2 Instance from AWS. If we disable the SSL Inspection it works fine. :\ 

slay3r9903

Are you using a firewall policy that proxies also?

have you been able to find a way around this? I've been tweaking just about every setting in the CLI with no avail. It also works without the SSL Inspection enabled.

Labels
Top Kudoed Authors