- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"session clashed" in Fortigate
Hi, guys,
Another "session clashed" found in Fortigate 400E with FortiOS v6.4.2
My NAT configuration is VIP + NAT enabled: ( 111.111.11.5 :18889 --> 10.16.6.35:18889), 100.100.11.54 is the internet user:
The Fortigate eventlog is below:
1: date=2022-06-12 time=22:01:54 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085714423584374 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:58902->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:58902->10.16.6.35:18889(10.16.6.254:31307) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:31307(100.100.11.54:58902) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:58902(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:58902->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:58902->10.16.6.35:18889(10.16.6.254:58902) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:58902(100.100.11.54:58902) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:58902(210.57.60.2:18889)"
2: date=2022-06-12 time=21:59:47 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085587142104789 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:53024->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:53024->10.16.6.35:18889(10.16.6.254:30971) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:30971(100.100.11.54:53024) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:53024(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:53024->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:53024->10.16.6.35:18889(10.16.6.254:53024) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:53024(100.100.11.54:53024) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:53024(210.57.60.2:18889)"
3: date=2022-06-12 time=21:58:41 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085521574340749 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:50916->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:50916->10.16.6.35:18889(10.16.6.254:30911) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:30911(100.100.11.54:50916) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:50916(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:50916->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:50916->10.16.6.35:18889(10.16.6.254:50916) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:50916(100.100.11.54:50916) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:50916(210.57.60.2:18889)"
I tried to sniffer the traffic, and found the following sequence:
2022-06-13 03:02:36.559413 Server_V166 -- 10.132.1.21.18889 -> 10.16.6.35.58706: fin 3878196934 ack 2744162987
2022-06-13 03:02:36.615310 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: syn 3022893426
2022-06-13 03:02:36.615410 Server_V166 -- 10.16.6.35.18889 -> 10.16.6.254.64209: syn 3275526027 ack 3022893427
2022-06-13 03:02:36.618956 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: ack 3275526028
2022-06-13 03:02:36.618959 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: psh 3022893427 ack 3275526028
Any issue ?
Any recommendation from your experts, thx a lot ?
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Benson,
did you accidentally post twice?
Yurisk posted a nice response in your other thread: https://community.fortinet.com/t5/Fortinet-Forum/session-clash-in-Fortigate/td-p/214501
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Benson,
did you accidentally post twice?
Yurisk posted a nice response in your other thread: https://community.fortinet.com/t5/Fortinet-Forum/session-clash-in-Fortigate/td-p/214501
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Slightly different, but I think they have same root cause