- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"session clashed" issue in SDWAN configuration
Hi, guys,
I am using Fortigate 400E with FortiOS v7.0.3; A SDWAN configuration of 3 internet lines; lines information are the following:
1. line1 = 100.100.100.0/24 ; ( a VIP mapping - 100.100.100.10-NATed-10.16.6.35 )
2. line2 = 111.111.111.0/24 ; ( a VIP mapping - 111.111.111.11-NATed-10.16.6.35 )
3. line3 = 222.222.222.0/24 ( a VIP mapping - 222.222.222.22-NATed-10.16.6.35 )
the SDWAN service for these 3 lines: mode (load-balance, hash-mode=round-robin)
A customer IP : 134.96.54.129
"session clashed" is found as the below:
1: date=2022-10-25 time=12:22:50 eventtime=1666671770025306040 tz="+0800" logid="0100020085" type="event" subtype="system" level="information" vd="root" logdesc="Session clashed" status="clash" proto=6 msg="session clash"
new_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->111.111.111.11:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(111.111.111.11:18889)"
old_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->222.222.222.22:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(222.222.222.22:18889)"
Any advise/recommendation ?
Many thanks in advance.
BensonLEI
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BensonLEI
It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.
SFA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Here the source port and destination port are same in both the sessions orginated from 134.96.54.129 causing the clash, as NAT table would not be able to differentiate and determine the return traffic from each VIP if it existed together to forward to the same source. You should ideally check options to fix the source to generate some randomness if it needed to simultaneously create (2 or more) sessions or have one session at a time using the same sport and dport.
Best regards,
Jin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Jin,
Thanks so much for your advise.
May I know if any configuration to fix this problem in Fortigate, since internet users can not be configured/controlled ?
Thanks a lot
BensonLEI
Created on ‎10-26-2022 01:19 AM Edited on ‎10-26-2022 01:32 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please see Technical Tip: Explanation of the session clash me... - Fortinet Community , at somepoint there may be same tuple formation and may be unavoidable from uncontrollable users from internet generating traffic at the sametime, but then the source may reconnect again using different source port.
best regards,
Jin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Jin,
In Fortigate, any configuration about allowing one sport one time only; or other configuration is helpful to prevent this issue, thx ?
With regards
BensonLEI
Created on ‎10-26-2022 03:58 AM Edited on ‎10-27-2022 12:30 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate is allowing only one connection from one source port at a time. Therefore, the old session will be closed and replaced by new session when session clash happens.
SFA
Created on ‎10-26-2022 06:48 PM Edited on ‎10-26-2022 06:51 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Alif,
Great to hear this.
May I know the way to achieve this (or how to remove the "session clashed message", that is something scared to management), in Fortigate ( I am currently using FortiOS v7.0.3) ?
With regards
BensonLEI
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @BensonLEI
It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.
SFA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is great appreciated for your detailed explanation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you would like to disable particular log entry, please check the below link.
SFA
