topic Re: TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop in General Topics

TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

Herschel_Liang — Fri, 11 Dec 2020 09:51:49 GMT

Network diagram:

Internet Production

Client behind FW ----> Border Router(NAT) ---> CP ---> SFTP Server：TCP22

188.40.191.20 (one map one)10.50.11.33 10.30.7.201:22

Policy:

S:10.50.11.33 D:10.30.7.201 service：ssh && sshv2 Action:Allow

S:10.30.7.0/24 D:any service：any Action:Allow

Client(188.40.191.20) tries to access SFTP Server fail. connect time out.

But I just can see reverse direction logs as below:

Id: ac14481d-9b4b-f025-5fd3-32a26091001b
Marker: @A@@B@1607675798@C@2060526
Log Server Origin: 172.20.72.29
Time: 2020-12-11T08:49:38Z
Interface Direction: inbound
Interface Name: eth1-03
Id Generated By Indexer:false
First: true
Sequencenum: 1164
TCP packet out of state:Server to client packet of an old TCP connection
TCP Flags: SYN
Source: 10.30.7.201
Source Port: 22
Destination: 10.50.11.33
Destination Port: 12288
IP Protocol: 6
Action: Drop
Type: Connection
Policy Name: Standard
Policy Management: SmartCenter
Db Tag: {E8EF89A6-20F4-3044-91ED-72D3DD169570}
Policy Date: 2020-12-10T09:47:02Z
Blade: Firewall
Origin: ICDCFW-1
Service: TCP/12288
Product Family: Access
Logid: 1
Interface: eth1-03
Description: TCP/12288 Traffic Dropped from 10.30.7.201 to 10.50.11.33

Who can tell me why and how to solve it?

Re: TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

PhoneBoy — Sat, 12 Dec 2020 02:45:55 GMT

Sounds the connection aged out of the connections table.
You can see if Smart Connection Reuse will help but I suspect a TAC case may be required: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk24960&partition=Advanced&product=Security

Re: TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

JozkoMrkvicka — Sat, 12 Dec 2020 09:50:20 GMT

There is dedicated service SFTP which should be used instead of ssh (or sshv2).

Not sure if relevant, but some services (like TFTP) are using ephemeral ports which are required to be opened on the firewall.

Re: TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

Herschel_Liang — Sat, 12 Dec 2020 10:06:42 GMT

It seems that no SFTP dedicated service in CP.

Re: TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

PhoneBoy — Sun, 13 Dec 2020 00:05:01 GMT

Right, because FTP over SSH is still basically over port 22 and the traffic is encrypted the same as regular SSH.

Re: TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

Herschel_Liang — Mon, 14 Dec 2020 03:14:45 GMT

Tried the sk24960 solution, but it seems it still exists.