Hi Team,
I am looking for some advise on the logs that we are seeing on my firewall.
Firewall is a VM hosted in Azure.
FGT Version 7.0.11
Problem:
User tries to login to server that is hosted in the DMZ (Azure) using LDAP and it takes approximately 1-2 minutes to login. The LDAP server is located on a different VNET.
Traffic Flow:
VNET-DMZ -->FW (Inside) --> FW (Inside) -->VNET (LDAP).
There seems to be huge amount of re-transmission, duplicate and out of order packet when the user tries to attempt (capture on done on FGT). This is the reason why the delay in authentication using LDAP.
It also appears that the authentication is successful only using the service LDAP_UDP and not tcp.
MTU on server set to 1500, MSS 1418 can be seen on the packet capture.
MTU on the NIC of the FGT is set to 1500, duplex, speed and other elements has been checked.
Appreciate any guidance on what else I can check to understand the reason for the issue.
On a note the firewall logs indicates "TCP Reset" for the TCP packets.
Firewall rules are in place and allows communications both ways.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may consider to decrease MSS to 1418 or lower (default is 1460) and check whether the issue persists:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518 (firewall policy)
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Behavior-of-TCP-MSS-setting-under-system-i... (interface)
Hi @kanes39
It is easier for you when you capture the packet and save it to a pcap file, then analyze it based on Wireshark.
I think the key packet to help solve the issue is the packet that needs "retransmission." You can check this packet's details inside and outside places related to "length, MSS" to know precisely. After that, you can find the solution next.
Thanks/Bill
Hi BillH_FTNT,
I did perform the capture and investigated it via WireShark.
This is where i can see that the MSS is set to 1418.
The one very obvious differences that i can see is that the CWR is set to 1 on packets that had retransmission and 0 on packets that pass through.
Thanks - Kanes
Hi @kanes39
Not only MSS, based on Wireshark, but you will also know where the packet is lost. The site makes packets lost, which will be deeply checked. I can't PM you, so if you don't mind. You can share your Wireshark files with me through mail bhoang@fortinet.com. I will show you more things.
Brs/Bill
Hi BillH_FTNT,
Thank you very much for the tips and the issue was caused by 2 elements:
a) Asymetric routing on Azure.
Hi @kanes39
You're welcome. Azure, by default, load-share traffic to customers, so asymmetric routing is very popular.
Thanks/Bill
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.