Hi, guys,
I am using Fortigate 400E with FortiOS v7.0.3; A SDWAN configuration of 3 internet lines; lines information are the following:
1. line1 = 100.100.100.0/24 ; ( a VIP mapping - 100.100.100.10-NATed-10.16.6.35 )
2. line2 = 111.111.111.0/24 ; ( a VIP mapping - 111.111.111.11-NATed-10.16.6.35 )
3. line3 = 222.222.222.0/24 ( a VIP mapping - 222.222.222.22-NATed-10.16.6.35 )
the SDWAN service for these 3 lines: mode (load-balance, hash-mode=round-robin)
A customer IP : 134.96.54.129
"session clashed" is found as the below:
1: date=2022-10-25 time=12:22:50 eventtime=1666671770025306040 tz="+0800" logid="0100020085" type="event" subtype="system" level="information" vd="root" logdesc="Session clashed" status="clash" proto=6 msg="session clash"
new_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->111.111.111.11:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(111.111.111.11:18889)"
old_status="state=00010200 tuple-num=2 policyid=85 dir=0 act=2 hook=0 134.96.54.129:29656->222.222.222.22:18889(10.16.6.35:18889) dir=1 act=1 hook=4 10.16.6.35:18889->134.96.54.129:29656(222.222.222.22:18889)"
Any advise/recommendation ?
Many thanks in advance.
BensonLEI
Solved! Go to Solution.
Hi @BensonLEI
It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.
Hi,
Here the source port and destination port are same in both the sessions orginated from 134.96.54.129 causing the clash, as NAT table would not be able to differentiate and determine the return traffic from each VIP if it existed together to forward to the same source. You should ideally check options to fix the source to generate some randomness if it needed to simultaneously create (2 or more) sessions or have one session at a time using the same sport and dport.
Best regards,
Jin
Hi, Jin,
Thanks so much for your advise.
May I know if any configuration to fix this problem in Fortigate, since internet users can not be configured/controlled ?
Thanks a lot
BensonLEI
Created on 10-26-2022 01:19 AM Edited on 10-26-2022 01:32 AM
Hi,
Please see Technical Tip: Explanation of the session clash me... - Fortinet Community , at somepoint there may be same tuple formation and may be unavoidable from uncontrollable users from internet generating traffic at the sametime, but then the source may reconnect again using different source port.
best regards,
Jin
Hi, Jin,
In Fortigate, any configuration about allowing one sport one time only; or other configuration is helpful to prevent this issue, thx ?
With regards
BensonLEI
Fortigate is allowing only one connection from one source port at a time. Therefore, the old session will be closed and replaced by new session when session clash happens.
Created on 10-26-2022 06:48 PM Edited on 10-26-2022 06:51 PM
Hi, Alif,
Great to hear this.
May I know the way to achieve this (or how to remove the "session clashed message", that is something scared to management), in Fortigate ( I am currently using FortiOS v7.0.3) ?
With regards
BensonLEI
Hi @BensonLEI
It's actually good to have session clash messages generated as it allows to know if NAT port exhaustion is happening. AFAIK, there is no way to disable these messages.
It is great appreciated for your detailed explanation.
If you would like to disable particular log entry, please check the below link.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.