Description
This article describes how to determine the cause and terminate normally when the RST packet is sent from FortiGate by the 'timeout-send-rst' command, but the server-client sessions are not terminated normally.
Solution
1) In server -> FortiGate -> Client configuration, if the session timeout value defined in the FortiGate expires and there is no TCP keep alive packet between the server and the client, the client and the server will fail with a socket error and no longer provide normal service.
2) Use 'timeout-send-rst' command to force terminate the sessions for server and client.
3) However, the situation where the sequence number of the RST packet is passed to 1, as shown below is possible, so that is why the client and server session do not end normally.
If a session timeout and the feature 'set timeout-send-rst enable' is active, the FortiGate sends a 'TCP RST' packet to both sides (client and server).
The sequence number within the packet equates the sequence number from the session-table, which is not the correct sequence number for the session.
Therefore, the two participants ignore the RST packets.
4) If the session is offloaded, the seq/ack is not tracked, so the RST packet cannot be generated correctly.
If NP offloading is enabled, only the TCP session setup (SYN, SYN-ACK, ACK) is handled by the CPU, and then the session is transferred to the NP.
So, must disable offloading to use the 'timeout-send-rst' feature.
After disable offloading, check if the generated RST packet and socket are closed normally.
This article describes how to determine the cause and terminate normally when the RST packet is sent from FortiGate by the 'timeout-send-rst' command, but the server-client sessions are not terminated normally.
Solution
1) In server -> FortiGate -> Client configuration, if the session timeout value defined in the FortiGate expires and there is no TCP keep alive packet between the server and the client, the client and the server will fail with a socket error and no longer provide normal service.
2) Use 'timeout-send-rst' command to force terminate the sessions for server and client.
3) However, the situation where the sequence number of the RST packet is passed to 1, as shown below is possible, so that is why the client and server session do not end normally.
If a session timeout and the feature 'set timeout-send-rst enable' is active, the FortiGate sends a 'TCP RST' packet to both sides (client and server).
The sequence number within the packet equates the sequence number from the session-table, which is not the correct sequence number for the session.
Therefore, the two participants ignore the RST packets.
4) If the session is offloaded, the seq/ack is not tracked, so the RST packet cannot be generated correctly.
If NP offloading is enabled, only the TCP session setup (SYN, SYN-ACK, ACK) is handled by the CPU, and then the session is transferred to the NP.
So, must disable offloading to use the 'timeout-send-rst' feature.
After disable offloading, check if the generated RST packet and socket are closed normally.
Related Articles
Technical Note: Configure the FortiGate to send TCP RST packet on session timeout
