Description
This article provides an explanation of the entry 'action=ip-conn' that may be seen in the traffic logs.
For example:
Aug 23 03:52:14 10.95.216.1 date=2016-08-23 time=03:52:14 devname=external-fgt-01 devid=FGXXXXXXXX logid=0000000011 type=traffic subtype=forward level=warning vd=root srcip=1.2.3.4 srcport=48641 srcintf="PUBLIC-VIP" dstip=4.3.2.1 dstport=80 dstintf="LOCAL-PORT" poluuid=342f44-adff-asdfasd-mujjh-5yghnhn56hhd sessionid=3025325172 proto=6 action=ip-conn policyid=2 appcat="unscanned" crscore=5 craction=262144 crlevel=low
Solution
The value 'ip-conn' in the log field description means that traffic was allowed, but then the session was closed as the FortiGate did not receive any reply packet, the result is 'IP connection error'.
This can occur if the connection to the remote server fails or if a timeout occurs.
Packet losses could be experienced due to a bad connection, traffic congestion or high memory and CPU utilization on either FortiGate or the host.
To troubleshoot this issue, run an extended ping test from the host to see if packet losses are going to be experienced:
# exe ping-options repeat-count 10000
# exe ping 8.8.8.8
Check the resource utilization on the FortiGate and do the equivalent on the host:
# diagnose hardware sysinfo memory
# get system performance status
# get system performance top
# diagnose system top
Run the following packet sniffer in the CLI:
# diagnose sniffer packet any host x.x.x.x and port 53
