Description
The 'No Session Match' will appear in debug flow logs when there is no session in the session table for that packet.
One possible reason is that the session was closed according to the 'tcp-halfclose-timer' before all data had been sent for that session.
id=13 trace_id=101 func=resolve_ip_tuple_fast line=4299 msg="vd-root received a packet(proto=6, 172.16.189.1:63620->172.16.199.100:8888) from lan."
id=13 trace_id=101 func=vf_ip4_route_input line=1603 msg="find a route: gw-172.16.199.100 via lan"
id=13 trace_id=101 func=fw_forward_dirty_handler line=309 msg="no session matched"
tcp-halfclose-timer:
This settings defines how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded.
The valid range is from 1 to 86400 seconds.
By default in FortiOS, tcp-halfclose-timer is 120 seconds.
config system global
set tcp-halfclose-timer <integer>
Scope
FortiGate.
Solution
The following steps show how to extend the TCP half-close timer for port 8888.
1) Create a custom firewall service for TCP port 8888:
Set the expected tcp-halfclose-timer for the new custom service.
config firewall service custom
edit "TCP-8888"
set tcp-portrange 8888
set tcp-halfclose-timer 3600
next
end
2) Use this custom service in all relevant policies:
config firewall policy
edit 55
set srcintf "lan"
set dstintf "port7"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "TCP-8888"
set logtraffic all
next
end
The tcp-halfclose-timer will be applied to the session and therefore applied regardless of which end initiates the half-close.
Note:
The TCP half-close timer can be changed for other ports on the FortiGate as well.
For example, below it is possible to find the configuration change for HTTPS service:
config firewall service custom
edit "HTTPS"
set tcp-portrange 443
set tcp-halfclose-timer 3600
next
end
This service can be added to the right firewall policies as per user requirements.
