fortigate ip connection
Hello few of our application which are hosted on our main DC are abruptly terminating their session. there is a FW in front of those application. branch and DC are connected via SDWAN. FW is fortigate and throwing "IP Connection error" for each abrupt disconnect of those application https://community.fortinet.com/t5/For... it seems like reply packet is missing so FW is disconnecting the session with connection error
i put sniffer infront of one of the application server and saw some issues starting from packet 29 please see a link below for capture. https://drive.google.com/file/d/1qxJh... around 15:24.8 i see ip connection error on firewall logs which sort of reflects the problem starting from packet 29. the interesting thing is ,, this is clear server-rst from packet capture standpoint but fw reports as ip connection error..not server -rst
packet 26 is graceful fin/ack...initially i thought that packet 27 and 28 never makes it to server and thats why packet 29 is the reset but when i check the ack on packet 29 , i noticed that it is acking packet 28 with seq 2516 .. so i am really confused..And after packet 29 whole capture is problmatic. ...also noticed that 119 seconds its commonality for some sort of timer..i checked few of them and they all have this 119 seconds timer and then have same behavior .. one strange thing is packet 31 has strange ack no.. not sure how it shows up..because couldn't relate to other side.. and then its keep doing it.. one thing for sure clients fin-ack do not get ack from server .. but instead we see weird sequence no. packet going out. may be that is reason FW is erroring it.
i have this behavior whenever there is a ip connection error on FW. I am trying to find out what is the root cause. but from this capture it seems like we are loosing some packet but couldn't pin point exactly. does anyone has any thoughts. thanks
Looks like a "half-closed" connection - TCP client responses with no FIN
It would help to have a capture on both ends to see if the client is sending the
FIN
and if so, is the firewall holding the connection half open.yeah agree .. make sense to have capture both sides. but its not possible. but if you look at the sequence no. based on that it seems like fin-ack from client is not getting responded from server. also server is responding with some strnage ack. what about that.. any thoughts on that
Normal client/server stuff here.
8 seconds of inactivity - server want to close the connection.
(more)There is no client
FIN
in frames 25-28.yeah it seems like packet 29 is rst-flag from sever due to client not responding from its side with fin-ack.. in that case i would see server-rst on FW but i dont.. which is strange but also what about those weird ack from server
Which frame(s) are "weird ack from server"?