Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BensonLEI
Contributor

"session clashed" issue in SDWAN configuration

Hi, guys,

 

I am using Fortigate 400E with FortiOS v7.0.3;  A SDWAN configuration of 3 internet lines; lines information are the following:

1.  line1 = 100.100.100.0/24 ; ( a VIP mapping - 100.100.100.10-NATed-10.16.6.35 )

2. line2 = 111.111.111.0/24 ;  ( a VIP mapping - 111.111.111.11-NATed-10.16.6.35 )

3. line3 = 222.222.222.0/24 ( a VIP mapping - 222.222.222.22-NATed-10.16.6.35 )

 

the SDWAN service for these 3 lines:  mode (load-balance, hash-mode=round-robin)

 

A customer IP : 134.96.54.129

 

 

"session clashed" is found as the below:

 

1: date=2022-10-25 time=12:22:50 eventtime=1666671770025306040 tz="+0800" logid="0100020085" type="event" subtype="system" level="information" vd="root" logdesc="Session clashed" status="clash" proto=6 msg="session clash"
new_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->111.111.111.11:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(111.111.111.11:18889)"
old_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->222.222.222.22:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(222.222.222.22:18889)"

 

 

Any advise/recommendation ?

 

Many thanks in advance.

BensonLEI

 

 

 

 

1 Solution
alif

Hi @BensonLEI 

 

It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.

Regards,
SFA

View solution in original post

9 REPLIES 9
jintrah_FTNT
Staff
Staff

Hi,

 

Here the source port and destination port are same in both the sessions orginated from 134.96.54.129 causing the clash, as NAT table would not be able to differentiate and determine the return traffic from each VIP if it existed together to forward to the same source. You should ideally check options to fix the source to generate some randomness if it needed to simultaneously create (2 or more) sessions or have one session at a time using the same sport and dport.

 

Best regards,

Jin

BensonLEI

Hi, Jin,

 

Thanks so much for your advise.

May I know if any configuration to fix this problem in Fortigate, since internet users can not be configured/controlled ?

 

Thanks a lot

BensonLEI

jintrah_FTNT

Hi,

Please see Technical Tip: Explanation of the session clash me... - Fortinet Community , at somepoint there may be same tuple formation and may be unavoidable from uncontrollable users from internet generating traffic at the sametime, but then the source may reconnect again using different source port.

 

best regards,

Jin

BensonLEI

Hi, Jin,

 

In Fortigate, any configuration about allowing one sport one time only; or other configuration is helpful to prevent this issue, thx ?

 

With regards

BensonLEI

alif

Fortigate is allowing only one connection from one source port at a time.  Therefore, the old session will be closed and replaced by new session when session clash happens.

Regards,
SFA
BensonLEI

Hi, Alif,

 

Great to hear this.

May I know the way to achieve this (or how to remove the "session clashed message", that is something scared to management), in Fortigate ( I am currently using FortiOS v7.0.3) ?

 

With regards

BensonLEI

alif

Hi @BensonLEI 

 

It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.

Regards,
SFA
BensonLEI

It is great appreciated for your detailed explanation.

 

 

alif

If you would like to disable particular log entry, please check the below link.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Prevent-a-log-from-being-generated/ta-p/18...

Regards,
SFA
Labels
Top Kudoed Authors