https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123344#M17692 <P>Hi guys,</P><P>We are troubleshooting a random issue with a connection between 2 internal hosts and some external servers on a cloud provider. We don't know if it is related to the issue or not, but we observe in the firewalls logs some "TCP out of state" packet drop.</P><P>Most of the drops have "ACK" as TCP flag, and some "PUSH-ACK", as shown on the screenshots attached.&nbsp;</P><P>So we went to Inspection Settings and for our gateway we added the source IPs (only the source, Any destination) and the destination port (443) as exception for the protection "TCP out of Sequence". However nothing has changed, and the gateways keep dropping the packets for time to time.</P><P>The gateway cluster is a 4000 series running R80.10</P><P>Any help on this?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ACK.png" style="width: 802px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12502iDBC6F48269F9BFEA/image-size/large?v=v2&amp;px=999" role="button" title="ACK.png" alt="ACK.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PUSH ACK.png" style="width: 801px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12503i5813AE860D3E8362/image-size/large?v=v2&amp;px=999" role="button" title="PUSH ACK.png" alt="PUSH ACK.png" /></span></P> Thu, 08 Jul 2021 14:52:31 GMT arcotangente 2021-07-08T14:52:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123344#M17692 <P>Hi guys,</P><P>We are troubleshooting a random issue with a connection between 2 internal hosts and some external servers on a cloud provider. We don't know if it is related to the issue or not, but we observe in the firewalls logs some "TCP out of state" packet drop.</P><P>Most of the drops have "ACK" as TCP flag, and some "PUSH-ACK", as shown on the screenshots attached.&nbsp;</P><P>So we went to Inspection Settings and for our gateway we added the source IPs (only the source, Any destination) and the destination port (443) as exception for the protection "TCP out of Sequence". However nothing has changed, and the gateways keep dropping the packets for time to time.</P><P>The gateway cluster is a 4000 series running R80.10</P><P>Any help on this?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ACK.png" style="width: 802px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12502iDBC6F48269F9BFEA/image-size/large?v=v2&amp;px=999" role="button" title="ACK.png" alt="ACK.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PUSH ACK.png" style="width: 801px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12503i5813AE860D3E8362/image-size/large?v=v2&amp;px=999" role="button" title="PUSH ACK.png" alt="PUSH ACK.png" /></span></P> Thu, 08 Jul 2021 14:52:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123344#M17692 arcotangente 2021-07-08T14:52:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123351#M17693 <P>Why R80.10 and not a later release?<BR />Regardless a TAC case may be necessary to get to the bottom of this.</P> Thu, 08 Jul 2021 15:34:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123351#M17693 PhoneBoy 2021-07-08T15:34:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123411#M17705 <P>Hi,</P><P>We haven't had any issues with R80.10 so haven't considered upgrading to a later release.&nbsp;</P><P>Anyway, why after we put the IP's under exceptions in the Inspection Settings these drops are still happening? is not that the right place to do it? which could be the cause of seeing many ACKs drops and some PUSH-ACKs drops?</P><P>Thanks!</P> Fri, 09 Jul 2021 10:33:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123411#M17705 arcotangente 2021-07-09T10:33:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123457#M17735 <P>Per our original schedule, R80.10 should be End of Support by now, but we extended it to January 2022.<BR />There are numerous improvements in more recent releases.</P> <P>In any case, you're modifying a protection related to TCP sequence numbers, which has nothing to do with this.<BR />What you probably want to do is:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk11088" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk11088</A>&nbsp;</P> Sat, 10 Jul 2021 00:02:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Drops-quot-TCP-Out-of-Sequence-quot-even-after-creating/m-p/123457#M17735 PhoneBoy 2021-07-10T00:02:14Z