Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

"session clashed" in Fortigate

Hi, guys,

 

Another "session clashed" found in Fortigate 400E with FortiOS v6.4.2

 

My NAT configuration is VIP + NAT enabled: ( 111.111.11.5 :18889 --> 10.16.6.35:18889), 100.100.11.54 is the internet user:

 

The Fortigate eventlog is below:

1: date=2022-06-12 time=22:01:54 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085714423584374 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:58902->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:58902->10.16.6.35:18889(10.16.6.254:31307) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:31307(100.100.11.54:58902) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:58902(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:58902->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:58902->10.16.6.35:18889(10.16.6.254:58902) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:58902(100.100.11.54:58902) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:58902(210.57.60.2:18889)"
2: date=2022-06-12 time=21:59:47 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085587142104789 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:53024->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:53024->10.16.6.35:18889(10.16.6.254:30971) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:30971(100.100.11.54:53024) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:53024(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:53024->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:53024->10.16.6.35:18889(10.16.6.254:53024) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:53024(100.100.11.54:53024) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:53024(210.57.60.2:18889)"
3: date=2022-06-12 time=21:58:41 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085521574340749 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:50916->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:50916->10.16.6.35:18889(10.16.6.254:30911) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:30911(100.100.11.54:50916) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:50916(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:50916->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:50916->10.16.6.35:18889(10.16.6.254:50916) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:50916(100.100.11.54:50916) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:50916(210.57.60.2:18889)"

 

 

 

I tried to sniffer the traffic, and found the following sequence:

2022-06-13 03:02:36.559413 Server_V166 -- 10.132.1.21.18889 -> 10.16.6.35.58706: fin 3878196934 ack 2744162987
2022-06-13 03:02:36.615310 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: syn 3022893426
2022-06-13 03:02:36.615410 Server_V166 -- 10.16.6.35.18889 -> 10.16.6.254.64209: syn 3275526027 ack 3022893427
2022-06-13 03:02:36.618956 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: ack 3275526028
2022-06-13 03:02:36.618959 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: psh 3022893427 ack 3275526028

 

Any issue ?

 

Any recommendation from your experts, thx a lot ?

 

 

 

 

 

1 Solution
Debbie_FTNT
Staff
Staff

Hey Benson,

did you accidentally post twice?

Yurisk posted a nice response in your other thread: https://community.fortinet.com/t5/Fortinet-Forum/session-clash-in-Fortigate/td-p/214501

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

2 REPLIES 2
Debbie_FTNT
Staff
Staff

Hey Benson,

did you accidentally post twice?

Yurisk posted a nice response in your other thread: https://community.fortinet.com/t5/Fortinet-Forum/session-clash-in-Fortigate/td-p/214501

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
BensonLEI

Slightly different, but I think they have same root cause

Top Kudoed Authors