topic Re: Getting drops for the traffic stating first packet is not a syn in General Topics

Getting drops for the traffic stating first packet is not a syn

abhishek2126 — Fri, 21 Jul 2023 15:13:01 GMT

Hi,

I am seeing traffic dropped, stating first packet is not a syn.

Can someone clarify why its happening? A screenshot is attached.

Re: Getting drops for the traffic stating first packet is not a syn

PhoneBoy — Fri, 21 Jul 2023 22:29:19 GMT

The message is explained here: https://support.checkpoint.com/results/sk/sk31382

Re: Getting drops for the traffic stating first packet is not a syn

the_rock — Sat, 22 Jul 2023 00:05:14 GMT

That error is essentially fancy way CP "tells" you that 3-way handshake is not completing. You need to run packet captures (tcpdump and fw monitor) to see whats is happening with the traffic.

Lets pretend (for this example) that src is 1.1.1.1 and dst is 2.2.2.2 and port is 443

You could run below:

tcpdump -enni any host 1.1.1.1 and host 2.2.2.2 and port 443

fw monitor -e "accept host(2.2.2.2) and port(443);"

fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"

idea is srcip,srcport,dstip,dstport,protocol...so you can have as many -F flags this way

Hope that helps.

Andy

Re: Getting drops for the traffic stating first packet is not a syn

Chris_Atkinson — Sat, 22 Jul 2023 00:32:51 GMT

Which version & JHF is the gateway?

There are many previous threads here discussing different solutions be it due to asymmetric routing, aggressive aging, bugs or otherwise.

Re: Getting drops for the traffic stating first packet is not a syn

the_rock — Sat, 22 Jul 2023 00:39:14 GMT

@Chris_Atkinson makes an excellent point as well. If I were you, I would upgrade to R81.10 jumbo 95 if you can, that mind you if your gateways are on R80.40. If you are already on R81.10, then your next steps are things we suggested.

Andy