If a FortiGate has a WAN interface that obtains an IP address via DHCP, it will renew the lease halfway through its duration (if the lease is for 2 hours, the FGT will automatically renew the lease every hour). This can result in session drops in applications (e.g., VPN RA).
We first observed this issue when using FortiExtender, which establishes a CAPWAP connection to the FGT and provides it with a MODEM interface. The DHCP on the FGT is created by FEX and is not configurable; the settings are independent of the APN/Carrier.
In some cases, when the session table on the FGT is refreshed, it will mark session flags as “dirty”; when debugging the session, you may observe: fw_forward_dirty_handler as ‘no session matched’.
The FGT “forgets” that it saw a 3-way handshake for this session and marks it as dirty. Since this is a TCP session without a 3-way handshake, the packets will be dropped.
The workaround is to configure an exception per policy:
config system settings
set tcp-session-without-syn enable
end
config firewall policy
edit X
set tcp-session-without-syn all
next
end