Sending a FIN or RST would require that the firewall implementation keep track of the sequence numbers on the connection (because it needs to fill in that data in the FIN/RST packet). This is normally a desired behavior, since it means that the packet is invalid or duplicated. This article explains a new CLI parameter than can be activated on a policy to send a TCP RST packet on session timeout. Firewall Action Hi, The security auditor came to our office to check the Firewall Policies. And why the client sends two RST packet out of the blue. First of all, I'm not sure that the message "Acknowledgment number: Broken TCP.The acknowledge field is nonzero while the ACK flag is not set" within the RST Paket is the actual cause of the connection failing, because the RST already is a result of that having happened, so I'd guess it's just a side effect. ... A Fortigate will alway DROP traffic with default configuration when DENY is specified! The guy suggests to configure the Firewall Access Rule to "DROP" the unwanted traffic instead of "DENY". Receiving host sends a SYN to the initiating host, which sends an ACK back. As a response to client's SYN, the Server challenges by sending an ACK to confirm the loss of the previous connection and the request to start a new connection. We have a web application, hosted in IIS and we appear to be getting an intermittent '0 bytes returned from server' in the web application. I need someone to help me interpret what is going on with the tcpdump I have - this is taken on the server end. This challenge ACK has acknowledgement number from previous connection and upon seeing the unexpected ACK, client sends a RST; thus tearing down TCP connection on the server also. A RST/ACK is not an acknowledgement of a RST, same as a SYN/ACK is not exactly an acknowledgment of a SYN. FortiGate v6.0: FortiGate v6.2: Description. As part of our tests we had users access the web application direct on the box and the issue goes away so we think that issue is on the network layer. I have a client which has TCP connection was established to a server for some 9 hr plus and was able to remain connected without any issues. TCP establishment actually is a four-way process: Initiating host sends a SYN to the receiving host, which sends an ACK for that SYN. There are frequent use cases where a TCP session created on the firewall has a smaller session TTL than the client PC initiating the TCP session or the target device. By default, if a packet is received with sequence numbers that fall out of the expected range, the FortiGate unit drops the packet. The default is strict. Re: Syn - Syn-Ack Rst 2015/05/11 10:45:06 0 I would diag debug flow matching the client and port, inspect the firewall policy for ips-sensor , ssl-inspections etc..