Source NAT with peculiar server-rst behavior | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Source NAT with peculiar server-rst behavior

Author Post Essentials Only Full Version
mgob1985 New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2020/11/30 13:20:40 Status: offline 2020/11/30 13:29:51 (permalink) 6.2 0 Source NAT with peculiar server-rst behavior Hello all, hoping someone has seen this one before and could shed some light on it. We have a Fortigate 500E that is performing NAT on a policy, downstream from this FG is another firewall, when a client opens a session out, we see the session/flow exist on both firewalls and correct bidirectional traffic, great. Now the issue comes along where if the FG 500E receives a RST packet from the server, to abort the connection it closes it's NAT translation but does not relay that RST packet downstream towards the client, as such the flow/session on the downstream firewall remains active and the client believes the connection is still active, causing an application to hang/timeout instead of knowing about the disconnect. We have confirmed via tap/capture between the FG 500E and the downstream firewall that the fortigate is never sending on that RST, instead it just ceases forwarding traffic so the client nor firewall never knows the connection is dead. IPS is on in monitor mode, Fortinet support suggested turning this off, so we're going to do that on this policy and see if that makes a difference...., other than that there's nothing funny in play, standard NAT policy and it all works normally unless a RST is received from the server side ( we know this is an issue too and the vendor in question is working on that, we should be seeing a FIN on a normal close, their app is crashing ). Any ideas? post edited by mgob1985 - 2020/11/30 13:48:10 #1 3 Replies Related Threads
Alexis_Esp New Member Total Posts : 10 Scores: 0 Reward points: 0 Joined: 2020/12/01 03:46:51 Status: offline Re: Source NAT with peculiar server-rst behavior 2020/12/01 08:00:18 (permalink) 0 Hello, I think it would be a good idea to remove security profiles, and add them to see if any are interfering. Have you made a debug flow? Do the logs give you any clues? Maybe you can get something out of it #2
mgob1985 New Member Total Posts : 3 Scores: 0 Reward points: 0 Joined: 2020/11/30 13:20:40 Status: offline Re: Source NAT with peculiar server-rst behavior 2020/12/02 06:20:19 (permalink) 0 Alexis_Esp Hello, I think it would be a good idea to remove security profiles, and add them to see if any are interfering. Have you made a debug flow? Do the logs give you any clues? Maybe you can get something out of it We removed IPS and inspection, the issue still occurs. We're thinking this is related to the firewall being on a stick, and source nat on the same NPU... it looks like this has been an issue in the past across multiple versions.... #3
Alexis_Esp New Member Total Posts : 10 Scores: 0 Reward points: 0 Joined: 2020/12/01 03:46:51 Status: offline Re: Source NAT with peculiar server-rst behavior 2020/12/02 06:35:08 (permalink) 0 Hello, you can edit some parameters of the NPUs if I remember correctly, and so you can isolate the problem. #4

Jump to:

© 2021 APG vNext Commercial Version 5.5