https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126966#M18378 <P>Normally there are this options why this happens&nbsp; "First packet isn't SYN" and/or "<EM>TCP packet out of state</EM>' drop message in log":</P> <P>A)&nbsp; Assymetric routing! This message could appear in asymmetric networks, where the packet exit path of the network does not match the&nbsp;network entry path. Once the connection has been removed from the connection table, any packet other than a SYN will be dropped with a TCP packet out of state as this is the first packet needed to establish a new connection.&nbsp;Change your network configuration to resolve the asymmetry in order to fix this problem or follow workaround&nbsp;procedures.<BR />&nbsp;&nbsp; -&gt; Fix Routing or in exceptional cases define out of state exception.</P> <P>B)&nbsp; Session has been expired of the connection table.<BR />&nbsp; -&gt; Increase age timers for the service object.<BR /><BR />C) Connection halt during ClusterXL failover - services that are not synchronized on the cluster<BR />&nbsp; -&gt; To check and synchronize a service, double click it =&gt; Advanced =&gt; Sync on cluster.<BR /><BR />D)&nbsp; Aggressive aging kicking in on a highly loaded gateway / cluster<BR />&nbsp; -&gt; If the memory usage of the gateway exceeds 80%, aggressive aging will also kick in to try and prevent the gateway from reaching 100% memory usage which ultimately crashes / freezes it.<BR /><BR />E) The traffic is non TCP RFC compliant.<BR />&nbsp; -&gt; refer to <A href="http://supportcontent.checkpoint.com/solutions?id=sk11088" target="_blank">sk11088</A><BR /><BR />F) Policy install.<BR />&nbsp; -&gt; To check and keep connections after policy installation, double click the service =&gt; select 'Keep connections' or alternatively set the entire cluster to keep or rematch connections after policy install in the cluster object properties under advanced tab =&gt; connection persistence.<BR /><BR /><BR /></P> Fri, 13 Aug 2021 20:40:19 GMT HeikoAnkenbrand 2021-08-13T20:40:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126467#M18322 <P>Hello,</P><P>We're actually facing an issue on our infrastructure.</P><P>We have servers communicating through datacenter infrastructure (checkpoint firewalls).</P><P>Users faced latency on their applications. We saw the errors " First packet isn't ACK " . So we temporarily disactivate the packet filtering.&nbsp;</P><P>There is no jitter issue on the links. But we can see on the firewalls some connections with the range port&nbsp;TCP 32768=&gt;65535.&nbsp;</P><P>Does someone face this issue or know how to troobleshoot ?</P><P>Thanks for your help.</P><P>Lina</P> Wed, 11 Aug 2021 10:12:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126467#M18322 Lin 2021-08-11T10:12:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126913#M18362 <P><SPAN>"First packet isn't ACK" - this does not any sense. Should be "First packet isn't SYN". Also, you say you disabled packet filtering. Do you mean out of state drops?</SPAN></P> Fri, 13 Aug 2021 11:48:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126913#M18362 _Val_ 2021-08-13T11:48:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126966#M18378 <P>Normally there are this options why this happens&nbsp; "First packet isn't SYN" and/or "<EM>TCP packet out of state</EM>' drop message in log":</P> <P>A)&nbsp; Assymetric routing! This message could appear in asymmetric networks, where the packet exit path of the network does not match the&nbsp;network entry path. Once the connection has been removed from the connection table, any packet other than a SYN will be dropped with a TCP packet out of state as this is the first packet needed to establish a new connection.&nbsp;Change your network configuration to resolve the asymmetry in order to fix this problem or follow workaround&nbsp;procedures.<BR />&nbsp;&nbsp; -&gt; Fix Routing or in exceptional cases define out of state exception.</P> <P>B)&nbsp; Session has been expired of the connection table.<BR />&nbsp; -&gt; Increase age timers for the service object.<BR /><BR />C) Connection halt during ClusterXL failover - services that are not synchronized on the cluster<BR />&nbsp; -&gt; To check and synchronize a service, double click it =&gt; Advanced =&gt; Sync on cluster.<BR /><BR />D)&nbsp; Aggressive aging kicking in on a highly loaded gateway / cluster<BR />&nbsp; -&gt; If the memory usage of the gateway exceeds 80%, aggressive aging will also kick in to try and prevent the gateway from reaching 100% memory usage which ultimately crashes / freezes it.<BR /><BR />E) The traffic is non TCP RFC compliant.<BR />&nbsp; -&gt; refer to <A href="http://supportcontent.checkpoint.com/solutions?id=sk11088" target="_blank">sk11088</A><BR /><BR />F) Policy install.<BR />&nbsp; -&gt; To check and keep connections after policy installation, double click the service =&gt; select 'Keep connections' or alternatively set the entire cluster to keep or rematch connections after policy install in the cluster object properties under advanced tab =&gt; connection persistence.<BR /><BR /><BR /></P> Fri, 13 Aug 2021 20:40:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126966#M18378 HeikoAnkenbrand 2021-08-13T20:40:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126982#M18384 <P>I agree with all guys said here...personally, I would say asymmetric routing is definitely something you should check first.</P> Sat, 14 Aug 2021 22:32:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Dynamic-ports-TCP-32768-gt-65535-drops/m-p/126982#M18384 the_rock 2021-08-14T22:32:36Z