topic Re: First packet isn't SYN errors in Firewall and Security Management

First packet isn't SYN errors

P_M — Tue, 30 Nov 2021 07:53:32 GMT

Hello,

We are running R80.40 Jumbo HF Take #125 and LDAPS connection going through the firewall is getting disconnected after two hours, and we can see that a lot of "First packet isn't SYN" errors being logged, and these traffic are being blocked.

What could be the cause of this problem, is there a way of configuring the firewall to ignore the SYN error and just let the traffic flow through between the LDAPS client and server, or can one create a specific rule for just the LDAPS connection to ignore this SYN error and allow the traffic through ?

Regards

P_M

Re: First packet isn't SYN errors

Bob_Zimmerman — Tue, 30 Nov 2021 21:14:09 GMT

Stateful firewalls track connections in a state table. This table is limited by the memory in the device. To help get rid of irrelevant junk entries (like connections from a laptop which has been put to sleep for the day, and which won't use them again), the state table entries have a timeout. If no traffic is seen on a given connection in a certain amount of time (by default, 40 seconds for UDP or an hour for TCP), the entry is removed from the table. If the endpoints then try to send traffic on the same connection, the firewall drops it with the message you see.

You should set the endpoints to send keepalive traffic. This will refresh the entry in the state table so it won't be removed unless the endpoints actually stop talking.

Re: First packet isn't SYN errors

the_rock — Wed, 01 Dec 2021 00:24:11 GMT

@Bob_Zimmerman explained it perfectly, I really have nothing else to add.

Re: First packet isn't SYN errors

Yuri_Slobodyany — Wed, 01 Dec 2021 06:56:35 GMT

In my many years debugging Checkpoints I am yet to see "First packet isn't SYN" where the firewall is the culprit - so far it has always been the apps. Usually, it is either intermittent asymmetric routing or timeouts/keepalives the app doesn't send.

Once upon a time you could "solve" such problems by turning off Stateful Inspection for TCP packets in Global properties, but for the whole firewall, brr. And I actually saw people doing it, but it means you basically turn off firewall for the most part and I am not sure it is possible in newer versions anymore.

So as others have already said - look closer into the application traffic.

Re: First packet isn't SYN errors

JanVC — Wed, 01 Dec 2021 12:10:46 GMT

if your gateway is under heavy load (memory shortage +80% used), aggressive aging will clear connections in the conntable faster then the actual timeout causing the first packet isn't SYN error