Source NAT with peculiar server-rst behavior
Hello all, hoping someone has seen this one before and could shed some light on it.
We have a Fortigate 500E that is performing NAT on a policy, downstream from this FG is another firewall, when a client opens a session out, we see the session/flow exist on both firewalls and correct bidirectional traffic, great.
Now the issue comes along where if the FG 500E receives a RST packet from the server, to abort the connection it closes it's NAT translation but does not
relay that RST packet downstream towards the client, as such the flow/session on the downstream firewall remains active and the client believes the connection is still active, causing an application to hang/timeout instead of knowing about the disconnect.
We have confirmed via tap/capture between the FG 500E and the downstream firewall that the fortigate is never sending on that RST, instead it just ceases forwarding traffic so the client nor firewall never knows the connection is dead.
IPS is on in monitor mode, Fortinet support suggested turning this off, so we're going to do that on this policy and see if that makes a difference...., other than that there's nothing funny in play, standard NAT policy and it all works normally unless a RST is received from the server side ( we know this is an issue too and the vendor in question is working on that, we should be seeing a FIN on a normal close, their app is crashing ).
post edited by mgob1985 - 2020/11/30 13:48:10