Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HA
Contributor

Fortigate running 5.4.4 drop packet with SYN+ECN+CWR flags enabled

Hello,

 

One of our customers migrate from 5.2.10 to 5.4.4.

After this migration, packets with SYN+ECN+CWR flags set were silently drops by the Firewall.

In order to solve this issue, we had to disable ECN congestion on the client.

https://ask.wireshark.org/questions/32067/many-many-tcp-out-of-order-dup-acks-and-retransmissions

Netsh interface tcp set global ecncapability=disabled

 

Is it a known issue with Fortigate FW ??

Any command to disable this check ??

 

Regards,

 

HA

 

 

 

2 Solutions
HA

Hi,

 

Only workaround is to disable Offloading (to the ASIC) on IPsec interface.

 

Regards,

 

HA

View solution in original post

ChrisDavis
New Contributor II

I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.

 

Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.

 

As I said I haven't tested it yet so if you try it, let us know.  Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.

View solution in original post

11 REPLIES 11
emnoc
Esteemed Contributor III

under config sys global what do you have for protocol checks

 

e.g

 

 set check-protocol-header loose  or strict

 

 

I would start at that point. Since the SYN packets have the tcp-options, we need a way to fix up  TCP-SYN or SYN-ACKs. Most open source firewall have the means to scrub or clean tcp.flags  iptables,PF,etc.....

 

 

http://socpuppet.blogspot...ring-bad-tcpflags.html

 

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
HA
Contributor

Hi,

 

First, thanks for your help.

Unfortunately, check-protocol-header is already set to 'loose'...

anti-replay         : disable

asymroute           : enable

tcp-session-without-syn: enable

 

Any other idea ??

ChrisDavis
New Contributor II

Hi

We have the same thing.

 

It's a confirmed bug, specifically

"Bug #0240576 : NP6 packet sanity check considers wrongly SYN with ECN and/or CWR as an incorrect packet."

 

Disabling ECN works but that's not a very useful work around when dealing with third parties.

Makes VPNs with 5.4.4 mostly useless. 

HA

Hi Chris,

 

Thanks for the info !

Two questions now.

Does this bug affect all FortiOS release or is it limited to 5.4.4 ?

Where can I find a bug list of Fortigate device ??

 

Regards,

 

HA

ChrisDavis
New Contributor II

I'm afraid I don't have that information.

AFAIK Fortinet do not publish their bug list unlike say Cisco (to be fair even Cisco don't publish all their bugs).

You will have to push your account manager if you have one or raise a support case if you can.

 

 

Robin_Svanberg

Anyone with more details regarding this bug?

Can´t see anything in the release notes for 5.4.5.

 

Experiencing the same issue over an IPSEC between a Fortigate 1500D (NP6) running 5.4.5 and one 100E (SoC) running 5.4.4.

 

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden

 

robin.svanberg@ethersec.se

Robin Svanberg Network Consultant @ Ethersec AB in Östersund, Sweden robin.svanberg@ethersec.se
HA

Hi,

 

Only workaround is to disable Offloading (to the ASIC) on IPsec interface.

 

Regards,

 

HA

ChrisDavis
New Contributor II

I've been told (but so far not been able to test fully) that the bug has been fixed in 5.4.5.

 

Well to be accurate our account management tech support said the dev's have not been able to re-produce the bug in 5.4.5, so sounds like the fix is a by -product of annother bug fix.

 

As I said I haven't tested it yet so if you try it, let us know.  Our 100Es on 5.4.4 are in production so I don't want to install 5.4.5 until it's been out for a little while longer and I can have some confidence that there aren't other issues. 5.4.5 seems fine on our development kit at the moment to be fair.

rv
New Contributor

We are running 5.4.5 on 60E/200E/80E -> issues persists. ENC flagged packets over Ipsec tunnels are discarded.

Planning upgrade to 5.4.7 soon. Wonder if anybody tested if it is fixed there?

Labels
Top Kudoed Authors