Hi, guys,
Another "session clashed" found in Fortigate 400E with FortiOS v6.4.2
My NAT configuration is VIP + NAT enabled: ( 111.111.11.5 :18889 --> 10.16.6.35:18889), 100.100.11.54 is the internet user:
The Fortigate eventlog is below:
1: date=2022-06-12 time=22:01:54 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085714423584374 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:58902->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:58902->10.16.6.35:18889(10.16.6.254:31307) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:31307(100.100.11.54:58902) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:58902(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:58902->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:58902->10.16.6.35:18889(10.16.6.254:58902) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:58902(100.100.11.54:58902) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:58902(210.57.60.2:18889)"
2: date=2022-06-12 time=21:59:47 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085587142104789 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:53024->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:53024->10.16.6.35:18889(10.16.6.254:30971) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:30971(100.100.11.54:53024) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:53024(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:53024->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:53024->10.16.6.35:18889(10.16.6.254:53024) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:53024(100.100.11.54:53024) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:53024(210.57.60.2:18889)"
3: date=2022-06-12 time=21:58:41 logid="0100020085" type="event" subtype="system" level="information" vd="root" eventtime=1655085521574340749 tz="-0400" logdesc="session clash" status="clash" proto=6 msg="session clash" new_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:50916->111.111.11.5:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:50916->10.16.6.35:18889(10.16.6.254:30911) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:30911(100.100.11.54:50916) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:50916(111.111.11.5:18889)" old_status="state=00010200 tuple-num=4 policyid=69 dir=0 act=2 hook=0 100.100.11.54:50916->210.57.60.2:18889(10.16.6.35:18889) dir=0 act=1 hook=4 100.100.11.54:50916->10.16.6.35:18889(10.16.6.254:50916) dir=1 act=2 hook=0 10.16.6.35:18889->10.16.6.254:50916(100.100.11.54:50916) dir=1 act=1 hook=4 10.16.6.35:18889->100.100.11.54:50916(210.57.60.2:18889)"
I tried to sniffer the traffic, and found the following sequence:
2022-06-13 03:02:36.559413 Server_V166 -- 10.132.1.21.18889 -> 10.16.6.35.58706: fin 3878196934 ack 2744162987
2022-06-13 03:02:36.615310 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: syn 3022893426
2022-06-13 03:02:36.615410 Server_V166 -- 10.16.6.35.18889 -> 10.16.6.254.64209: syn 3275526027 ack 3022893427
2022-06-13 03:02:36.618956 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: ack 3275526028
2022-06-13 03:02:36.618959 Server_V166 -- 10.16.6.254.64209 -> 10.16.6.35.18889: psh 3022893427 ack 3275526028
Any issue ?
Any recommendation from your experts, thx a lot ?
Solved! Go to Solution.
Hey Benson,
did you accidentally post twice?
Yurisk posted a nice response in your other thread: https://community.fortinet.com/t5/Fortinet-Forum/session-clash-in-Fortigate/td-p/214501
Hey Benson,
did you accidentally post twice?
Yurisk posted a nice response in your other thread: https://community.fortinet.com/t5/Fortinet-Forum/session-clash-in-Fortigate/td-p/214501
Slightly different, but I think they have same root cause
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.