- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Log action messages 'Accept: sessio...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes a potential root cause for logs with action as 'Accept: session close' and 'Accept: session timeout'
Solution
Accept: session close.
when communication between client and server is 'idle', FortiGate session expires counter (TTL) for respective communication will be keep decreasing.
Once expire value reaches 0, FortiGate will terminate TCP session and generate the log with action 'Accept: session close'.
For Example:
From below session information, FortiGate is maintaining a session for SSH communication from 10.40.48.22 to 10.5.52.157.
TTL value of the session is 300 and session state is ESTABLISHED (proto_state=01).
For example.
Client 10.40.48.22 sends syn packet to establish ssh connection with 10.5.52.157, server is not responding with syn.ack packet to the client.
FortiGate session state will be SYN_SENT (proto_state=02) and session will active only for 'tcp-halfopen-timer'.
This article describes a potential root cause for logs with action as 'Accept: session close' and 'Accept: session timeout'
Solution
Accept: session close.
when communication between client and server is 'idle', FortiGate session expires counter (TTL) for respective communication will be keep decreasing.
Once expire value reaches 0, FortiGate will terminate TCP session and generate the log with action 'Accept: session close'.
For Example:
From below session information, FortiGate is maintaining a session for SSH communication from 10.40.48.22 to 10.5.52.157.
TTL value of the session is 300 and session state is ESTABLISHED (proto_state=01).
session info: proto=6 proto_state=01 duration=18 expire=286 timeout=300 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4Since the SSH communication was 'idle', session TTL got expired and session state changed to CLOSE_WAIT (proto_state=07).
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log dirty may_dirty f00
statistic(bytes/packets/allow_err): org=2392/18/1 reply=3324/19/1 tuples=2
tx speed(Bps/kbps): 127/1 rx speed(Bps/kbps): 177/1
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.40.31.254/10.40.48.22
hook=post dir=org act=snat 10.40.48.22:49936->10.5.52.157:22(10.40.16.20:49936)
hook=pre dir=reply act=dnat 10.5.52.157:22->10.40.16.20:49936(10.40.48.22:49936)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00002d67 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
session info: proto=6 proto_state=07 duration=606 expire=0 timeout=300 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log dirty may_dirty f00 f02
statistic(bytes/packets/allow_err): org=6228/45/1 reply=7404/55/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.40.31.254/10.40.48.22
hook=post dir=org act=snat 10.40.48.22:49936->10.5.52.157:22(10.40.16.20:49936)
hook=pre dir=reply act=dnat 10.5.52.157:22->10.40.16.20:49936(10.40.48.22:49936)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=00002d67 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
total session 1
# dia sys session listIn this scenario, log generated by FortiGate will show action as 'Accept: session close'.
total session 0
===============================Client has sent an open session packet (SYN) but the server has not responded with SYN/ACK packet, In this case, FortiGate will wait for 'tcp-halfopen-time'r to close a session.
Accept: session timeout
For example.
Client 10.40.48.22 sends syn packet to establish ssh connection with 10.5.52.157, server is not responding with syn.ack packet to the client.
FortiGate session state will be SYN_SENT (proto_state=02) and session will active only for 'tcp-halfopen-timer'.
# dia sys session listIn this scenario, log generated by FortiGate will show action as 'Accept: session timeout'.
total session 0
# dia sniffer packet any "host 10.5.52.157" 4
interfaces=[any]
filters=[host 10.5.52.157]
7.465767 port2 in 10.40.48.22.50101 -> 10.5.52.157.22: syn 2409197349
7.465852 port1 out 10.40.16.20.50101 -> 10.5.52.157.22: syn 2409197349
10.473669 port2 in 10.40.48.22.50101 -> 10.5.52.157.22: syn 2409197349
10.473717 port1 out 10.40.16.20.50101 -> 10.5.52.157.22: syn 2409197349
16.473663 port2 in 10.40.48.22.50101 -> 10.5.52.157.22: syn 2409197349
16.473712 port1 out 10.40.16.20.50101 -> 10.5.52.157.22: syn 2409197349
session info: proto=6 proto_state=02 duration=18 expire=0 timeout=300 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=4
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=log dirty may_dirty f00 f02
statistic(bytes/packets/allow_err): org=152/3/0 reply=236/3/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=4->3/3->4 gwy=10.40.31.254/10.40.48.22
hook=post dir=org act=snat 10.40.48.22:50101->10.5.52.157:22(10.40.16.20:50101)
hook=pre dir=reply act=dnat 10.5.52.157:22->10.40.16.20:50101(10.40.48.22:50101)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 auth_info=0 chk_client_info=0 vd=0
serial=000037b2 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id = 00000000 ngfwid=n/a
dd_type=0 dd_mode=0
total session 1
84384
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.