topic Re: First packet isn't syn in Firewall and Security Management

First packet isn't syn

tlloyd22 — Wed, 03 Nov 2021 15:39:53 GMT

Hey everyone. I have a new CPGW R81.10 and I have one workstation that's dropping traffic 3 to 4 times a second with the following issue:

TCP packet out of state: First packet isn't SYN

TCP Flags: RST-ACK and FIN-PUSH-ACK

Can this be ignored? I can't say I'm seeing a perf problem. Or, should/how can it be fixed? Thanks all!

Re: First packet isn't syn

Timothy_Hall — Fri, 05 Nov 2021 17:13:38 GMT

Generally you can ignore FIN and RST packets that are dropped out of state unless they are conclusively linked to a specific problem. This is typically caused by the connection not being closed gracefully by one side or the other, see my post here:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7027/highlight/true#M798

Re: First packet isn't syn

maad-pul — Mon, 28 Feb 2022 20:18:18 GMT

Hi,

Did you find anyting related to this issue? I have also seen those packets dropped after upgrading to R81.10 TAKE30.
I haven´t seen any drops related to TCP Flags: RST-ACK and FIN-PUSH-ACK before upgrade R80.40.

My problem is that I have performance issues related to flows where I see errors in logs.

I have disabled HTTPS Inspection which seems to solve the issue.

Re: First packet isn't syn

tlloyd22 — Mon, 28 Feb 2022 21:24:46 GMT

After seeing Tim Hall's post and reading through, I chose to ignore the errors since I didn't see a performance issue. Sorry I'm not more helpful...good luck!

Re: First packet isn't syn

the_rock — Mon, 28 Feb 2022 21:27:54 GMT

Are you seeing any performance impact, dropped traffic? If so, then I would be concerned...if not, then I would not worry much.

Re: First packet isn't syn

maad-pul — Mon, 28 Feb 2022 21:51:32 GMT

Hi,

Yes! This weekend we upgraded to lastest R81.10 GA, I´m having users reported "slow web browsning" today, I found in logs a lot of dropped packet related to tcp/443, which haven¨t been there before.

TCP packet out of state: First packet isn't SYN
TCP Flags: RST-ACK and FIN-PUSH-ACK

I quick fix, just to now whats goding on was to disable HTTPS Inspection for that VS. Logs dissapeard and users reported good web browsing performance after that. The Logs are from the FW-blade and not HTTPS Inspection.

Re: First packet isn't syn

the_rock — Mon, 28 Feb 2022 21:57:13 GMT

You may need to debug wstlsd process for https inspection, when its enabled.

Re: First packet isn't syn

skandshus — Mon, 28 Feb 2022 22:47:08 GMT

I am seeing a LOT of those too in my ubiquiti unifi controller where connection status/heartbeats then gets time out and throwing me an Alert of a device disconnecting even though it’s working fine. It’s so annoying.. never had that issue before checkpoint unfortunately 😞

Re: First packet isn't syn

the_rock — Tue, 01 Mar 2022 06:11:32 GMT

I would open TAC case for it to have them verify, specially given the fact it causes traffic issues.

Re: First packet isn't syn

maad-pul — Tue, 01 Mar 2022 08:57:09 GMT

Hi!

I will do that, I just need to verify Hyperthreading (SMT/HT) enabling i BIOS for the HPE-server. I don´t know if thats setting was enabled in last update to R80.40, but support seems to be removed.

See https://community.checkpoint.com/t5/Security-Gateways/Attention-HyperThreading-SMT-support-for-Open-Servers-got/td-p/104962.

Re: First packet isn't syn

CheckPointerXL — Wed, 20 Jul 2022 08:30:24 GMT

hello, did you fix it?

Re: First packet isn't syn

Pedro_Sentinela — Tue, 26 Jul 2022 18:32:19 GMT

hello, I'm having the same problem as you and I'm losing a lot of packages that are destroying the performance. Could you let me know if there was a solution to your problem?

Re: First packet isn't syn

skandshus — Tue, 26 Jul 2022 19:52:07 GMT

mine isnt fixed.

from my experience it doesnt look like Check point have a FIX for it actually 😞

Re: First packet isn't syn

the_rock — Tue, 26 Jul 2022 20:05:53 GMT

Well, first packet isnt syn error is not something CP would have a fix for, per se, its usually routing issue, from my experience.

Re: First packet isn't syn

skandshus — Sat, 30 Jul 2022 20:35:31 GMT

Routing issue in what sense?

Re: First packet isn't syn

Chris_Atkinson — Tue, 01 Nov 2022 06:26:34 GMT

Indeed, need to ensure the symptoms are identical i.e. in no particular order:

- Asymmetric routing (both direction/sides of the flow need to traverse the firewall)

- Aggressive aging (due to resource issue or other transient event)

- App issue / TCP half-closed (sk11088 / sk137672)

- HTTPS inspection (sk118415)

Re: First packet isn't syn

maad-pul — Mon, 15 Aug 2022 05:57:24 GMT

Yes, patched an the problem was solved. According to TAC PRJ-30820 was the issue.

Re: First packet isn't syn

maad-pul — Mon, 15 Aug 2022 14:15:35 GMT

PRJ-30820 was my issue.

Re: First packet isn't syn

CheckPointerXL — Mon, 29 Aug 2022 13:46:48 GMT

i'm happy for you.

I don't think that's my case, PRJ-30820 is on T38 and i faced the problem on T55

Re: First packet isn't syn

Ravi_cp — Mon, 05 Sep 2022 02:57:06 GMT

I'm facing similar kind of issue after upgrade and pushing policy on standby gateway .we are not able to access the web UI/ssh of gateway.

While further checking in log found lot of TCP out of order packet drop for reverse traffic, for testing purpose added gateway in expectation, than it starting working . Observers gateway for 2 min and found gateway hang and not responding , so again started new session of ssh but response is too slow again checked resource and found utilisation is fair enough .

So I drop the plan of upgrade and rollback the change .

Upgrade from R80.30 to R81 latest jumbo hotfix.