Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gvasquezn
New Contributor II

Created on ‎11-15-2023 07:06 AM

Error tcp-rst-from-client

Hello, I have a problem with my FortiVM FW , some of my ussers from a remote warehouse get conection properly but the next 5 seconds it drop off. It only happens in this warehouse. Policy permits traffic to the VPN host and port 10443. And as I can see in the logs, it has matched in and out.

We have fortigate VM FGVM

imagen (17).pngimagen (16).png

Labels:
7131
0 Kudos
6 REPLIES 6
abarushka
Staff
Staff

Created on ‎11-15-2023 07:13 AM

Hello,

 

I would recommend to sniff traffic "diag sniffer packet any 'host <destination IP address>' 6 0 a". It may give a hint why client is sending RST packet.

FortiGate
7121
0 Kudos
gvasquezn
New Contributor II
In response to abarushka

Created on ‎11-15-2023 07:57 AM

Where should i run this diag, in my fortiauthenticator or host were get the reset from client?

 

7108
0 Kudos
abarushka
Staff
Staff
In response to gvasquezn

Created on ‎11-15-2023 08:58 AM

Hello,

 

On FortiGate side (VDOM level if applicable).

FortiGate
7087
0 Kudos
Sheikh
Staff
Staff

Created on ‎11-15-2023 07:32 AM

Hello @gvasquezn 

 

Try increasing the timeout value in the matching firewall policy and see if that helps.

 

# config firewall policy
# edit 1
# set session-ttl 1500
# end

 

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**
7117
0 Kudos
gvasquezn
New Contributor II
In response to Sheikh

Created on ‎11-15-2023 07:58 AM

this gave me this mesage.

 

FGVM4VTM23001983 (policy) # edit 1
new entry '1' added

FGVM4VTM23001983 (1) # set session-ttl 1500

FGVM4VTM23001983 (1) # end
Attribute 'srcintf' MUST be set.
Command fail. Return code -56

7107
0 Kudos
pminarik
Staff
Staff

Created on ‎11-15-2023 09:09 AM

The firewall policy itself allowed the traffic, otherwise client-RST could not happen.
Check if you have any relevant UTM profiles enabled in that policy (ID 196 based on the log).

 

If none, then the FortiGate is unlikely to be at fault. You will need to run a packet capture of both sides (as abarushka suggestted) and figure out what's wrong there on the application layer.

 

Given the number of packets sent, my initial random guess would be some issue during early TLS handshake. Not enough bytes for a certificate to be finished sending over, so maybe mismatch in TLS version and/or ciphersuite? Anyway, the pcap will hopefully answer that.

[ corrections always welcome ]
7084
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.