"session clashed" issue in SDWAN configuration

BensonLEI · ‎10-25-2022

Hi, guys,

I am using Fortigate 400E with FortiOS v7.0.3; A SDWAN configuration of 3 internet lines; lines information are the following:

1. line1 = 100.100.100.0/24 ; ( a VIP mapping - 100.100.100.10-NATed-10.16.6.35 )

2. line2 = 111.111.111.0/24 ; ( a VIP mapping - 111.111.111.11-NATed-10.16.6.35 )

3. line3 = 222.222.222.0/24 ( a VIP mapping - 222.222.222.22-NATed-10.16.6.35 )

the SDWAN service for these 3 lines: mode (load-balance, hash-mode=round-robin)

A customer IP : 134.96.54.129

"session clashed" is found as the below:

1: date=2022-10-25 time=12:22:50 eventtime=1666671770025306040 tz="+0800" logid="0100020085" type="event" subtype="system" level="information" vd="root" logdesc="Session clashed" status="clash" proto=6 msg="session clash"
new_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->111.111.111.11:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(111.111.111.11:18889)"
old_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->222.222.222.22:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(222.222.222.22:18889)"

Any advise/recommendation ?

Many thanks in advance.

BensonLEI

alif · ‎10-27-2022

Hi @BensonLEI

It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.

Regards,
SFA

View solution in original post

jintrah_FTNT · ‎10-25-2022

Hi,

Here the source port and destination port are same in both the sessions orginated from 134.96.54.129 causing the clash, as NAT table would not be able to differentiate and determine the return traffic from each VIP if it existed together to forward to the same source. You should ideally check options to fix the source to generate some randomness if it needed to simultaneously create (2 or more) sessions or have one session at a time using the same sport and dport.

Best regards,

Jin

BensonLEI · ‎10-26-2022

Hi, Jin,

Thanks so much for your advise.

May I know if any configuration to fix this problem in Fortigate, since internet users can not be configured/controlled ?

Thanks a lot

BensonLEI

jintrah_FTNT · ‎10-26-2022

Hi,

Please see Technical Tip: Explanation of the session clash me... - Fortinet Community , at somepoint there may be same tuple formation and may be unavoidable from uncontrollable users from internet generating traffic at the sametime, but then the source may reconnect again using different source port.

best regards,

Jin

BensonLEI · ‎10-26-2022

Hi, Jin,

In Fortigate, any configuration about allowing one sport one time only; or other configuration is helpful to prevent this issue, thx ?

With regards

BensonLEI

alif · ‎10-26-2022

Fortigate is allowing only one connection from one source port at a time. Therefore, the old session will be closed and replaced by new session when session clash happens.

Regards,
SFA

BensonLEI · ‎10-26-2022

Hi, Alif,

Great to hear this.

May I know the way to achieve this (or how to remove the "session clashed message", that is something scared to management), in Fortigate ( I am currently using FortiOS v7.0.3) ?

With regards

BensonLEI

alif · ‎10-27-2022

Hi @BensonLEI

It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.

Regards,
SFA

BensonLEI · ‎10-27-2022

It is great appreciated for your detailed explanation.

alif · ‎10-29-2022

If you would like to disable particular log entry, please check the below link.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Prevent-a-log-from-being-generated/ta-p/18...

Regards,
SFA

"session clashed" issue in SDWAN configuration

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website