If a FortiGate has a WAN interface that obtains an IP address via DHCP, it will renew the lease halfway through its duration (if the lease is for 2 hours, the FGT will automatically renew the lease every hour). This can result in session drops in applications (e.g., VPN RA).<\/p>\n\n\n\n
We first observed this issue when using FortiExtender, which establishes a CAPWAP connection to the FGT and provides it with a MODEM interface. The DHCP on the FGT is created by FEX and is not configurable; the settings are independent of the APN\/Carrier.<\/p>\n\n\n\n
In some cases, when the session table on the FGT is refreshed, it will mark session flags as \u201cdirty\u201d; when debugging the session, you may observe: fw_forward_dirty_handler as \u2018no session matched\u2019.<\/p>\n\n\n\n
The FGT \u201cforgets\u201d that it saw a 3-way handshake for this session and marks it as dirty. Since this is a TCP session without a 3-way handshake, the packets will be dropped.<\/p>\n\n\n\n
The workaround is to configure an exception per policy:<\/p>\n\n\n\n
config system settings\n set tcp-session-without-syn enable\nend\nconfig firewall policy\n edit X\n set tcp-session-without-syn all\n next\nend<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"