Skip to Content

How to handle of Challenge ACK packet by FortiGate

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes details about the challenge ACK and how FortiGate handles that packet.

Scope

FortiGate.

Solution

In the TCP handshake generally, 3 packets are exchanged for the connection establishment and they are either SYN, SYN-ACK, or ACK.

In some cases when the source tries to establish a TCP connection the destination will send an ‘ACK’ packet instead of the ‘SYN-ACK’ packet. This ACK packet will have a random ACK number and does not match the sequence number of the SYN packet. This type of ACK is called a Challenge-ACK. The source will send a RST packet to the server and close the current connection.

The source will restart a new TCP connection after the previous connection closure.

Below is a Wireshark capture of the Challenge-ACK scenario. The first 3 packets show a Challenge ACK flow. The ACK number in the ACK packet is not in the same range as the sequence number of the SYN packet.

Wireshark capture of the Challenge-ACK scenario

Challenge-ACK is defined in rfc5961.

FortiGate will not drop this packet even when anti-replay protection is set as ‘strict’.

Below is the anti-replay setting.

Firewall-kvm37 # get system global | grep replay
anti-replay : strict

Debug output indicates that FortiGate identifies the packet as Challenge-ACK and allows it.

2024-05-01 00:46:53 id=65308 trace_id=13 func=print_pkt_detail line=5888 msg="vd-root:0 received a packet(proto=6, 10.56.250.18:2049->10.47.40.137:1023) tun_id=0.0.0.0
from port3. flag [.], seq 3868146465, ack 1480705351, win 256"
2024-05-01 00:46:53 id=65308 trace_id=13 func=resolve_ip_tuple_fast line=5976 msg="Find an existing session, id-00bf30a6, reply direction"
2024-05-01 00:46:53 id=65308 trace_id=13 func=tcp_anti_reply line=1069 msg="This can be a challenge ack packet"
2024-05-01 00:46:53 id=65308 trace_id=13 func=__vf_ip_route_input_rcu line=1999 msg="find a route: flag=00000000 gw-10.8.3.41 via port2"
2024-05-01 00:46:53 id=65308 trace_id=13 func=npu_handle_session44 line=1346 msg="Trying to offloading session from port3 to port2, skb.npu_flag=00000000 ses.state=000
00204 ses.npu_state=0x00000100"
2024-05-01 00:46:53 id=65308 trace_id=13 func=fw_forward_dirty_handler line=448 msg="state=00000204, state2=00000001, npu_state=00000100"

Support to allow the Challenge-ACK was introduced in version 6.0.13 / 6.2.10 / 6.4.6 / 7.0.2 of FortiOS.