FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description • When ecmp or SD-WAN is used, the return traffic or inbound traffic is ending up on a different interface. • With traffic going outbound again from Fortigate, it tries to match an existing session which fails because inbound traffic interface has changed. • TCP sessions are affected when this command is disabled.
This article describes how to enable auxiliary session with ECMP or SD-WAN.
Scope For version 6.2.3.
Solution Debug Flow output:
id=20085 trace_id=10 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.22.4.99:47287->172.23.4.100:443) from vlan4. flag [S], seq 3291199818, ack 0, win 65535" id=20085 trace_id=10 func=init_ip_session_common line=5666 msg="allocate a new session-000015a7" id=20085 trace_id=10 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-80.78.133.251 via tun1" id=20085 trace_id=10 func=fw_forward_handler line=771 msg="Allowed by Policy-14: SNAT" id=20085 trace_id=10 func=ids_receive line=289 msg="send to ips" id=20085 trace_id=10 func=__ip_session_run_tuple line=3286 msg="SNAT 172.22.4.99->192.168.1.1:47287" id=20085 trace_id=10 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-tun1" id=20085 trace_id=10 func=esp_output4 line=904 msg="IPsec encrypt/auth" id=20085 trace_id=11 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.22.4.99:47287->172.23.4.100:443) from vlan4. flag [.], seq 3291199819, ack 1663915319, win 1034" id=20085 trace_id=11 func=resolve_ip_tuple_fast line=5581 msg="Find an existing session, id-000015a7, original direction" id=20085 trace_id=11 func=ids_receive line=289 msg="send to ips" id=20085 trace_id=11 func=ip_session_core_in line=6275 msg="outgoing dev changed:44->42 dir=original, drop" id=20085 trace_id=12 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=6, 172.22.4.99:47287->172.23.4.100:443) from vlan4. flag [.], seq 3291199819, ack 1663915319, win 1034" id=20085 trace_id=12 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-192.168.1.1 via tun1" id=20085 trace_id=12 func=fw_forward_dirty_handler line=385 msg="no session matched"
When similar behavior is observed, it’s important to enable the auxiliary session.
By default, it is disabled:
# config system settings (settings) show full-configuration | grep aux set auxiliary-session disable
Enable it:
# config system settings (settings) set auxiliary-session enable
When this command is disabled, only one session is used to handle traffic, any ingress interface change (original/reply) will cause session dirty and offload flushing. However, once the command is enabled, there is multi-session enabled which means that there is a main session and auxiliary sessions (different ingress interface) to handle traffic.
