https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37169#M7879 <HTML><HEAD></HEAD><BODY><P>Dear Timothy</P><P></P><P>Thanks for your response i am trying all these step but issue is still same i am also trying to remove Sophos FW and terminate cable directly on&nbsp; Checkpoint 5600 appliance unmark URL filtering blade create one policy that is source LAN destination any services any allow with log enable.</P></BODY></HTML> Sat, 07 Jul 2018 06:46:58 GMT Ramawatar_Maury 2018-07-07T06:46:58Z https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37166#M7876 <HTML><HEAD></HEAD><BODY><P>I have 5600 appliance running on Gaia R77.30 that is behind Sophos IPS and Sophos IPS is in bridge mode.</P><P>I am installing all latest hot fix but issue is still same some website is not accessible and in SmartView tracker that is showing&nbsp;<CODE style="color: #000000; font-size: 14px;">TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK</CODE><SPAN>" .@</SPAN></P><P><SPAN>&nbsp;</SPAN></P></BODY></HTML> Fri, 06 Jul 2018 17:54:04 GMT https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37166#M7876 Ramawatar_Maury 2018-07-06T17:54:04Z https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37167#M7877 <HTML><HEAD></HEAD><BODY><P>You might need to start by traffic captures and check the traffic flow after that you might start looking at timers for tcp connection.</P></BODY></HTML> Fri, 06 Jul 2018 20:51:13 GMT https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37167#M7877 Houssameddine_1 2018-07-06T20:51:13Z https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37168#M7878 <HTML><HEAD></HEAD><BODY><P>Please see my response in the thread below for guidance about how to troubleshoot this message:</P><P></P><P><A _jive_internal="true" class="link-titled" href="https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300" title="https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300">https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300</A>&nbsp;</P><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Fri, 06 Jul 2018 21:29:59 GMT https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37168#M7878 Timothy_Hall 2018-07-06T21:29:59Z https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37169#M7879 <HTML><HEAD></HEAD><BODY><P>Dear Timothy</P><P></P><P>Thanks for your response i am trying all these step but issue is still same i am also trying to remove Sophos FW and terminate cable directly on&nbsp; Checkpoint 5600 appliance unmark URL filtering blade create one policy that is source LAN destination any services any allow with log enable.</P></BODY></HTML> Sat, 07 Jul 2018 06:46:58 GMT https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37169#M7879 Ramawatar_Maury 2018-07-07T06:46:58Z https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37170#M7880 <HTML><HEAD></HEAD><BODY><P>If I'm understanding your reply correctly, you are removing a Sophos firewall and trying to replace it with a Check Point.&nbsp; The instant the Check Point is connected you will get a flurry of "out of state" messages, since all the existing connections at the time of replacement are not known to the Check Point, and by default will be dropped.&nbsp;</P><P></P><P>You can blunt the impact of this replacement by unchecking "Drop out of state TCP packets" under Global Properties...Stateful Inspection and reinstalling policy to the firewall prior to the cutover.&nbsp; Unchecking this box will cause the firewall to attempt to "resurrect" the existing connections back into the state table and allow them to continue.&nbsp; You can also switch off the dropping of out of state TCP packets "on the fly" by running this command on the gateway: <EM><STRONG>fw ctl set int fw_allow_out_of_state_tcp 1</STRONG></EM></P><P></P><P><EM>Do not forget to recheck the "Drop out of state TCP packets" checkbox once the firewall replacement is complete and you have successfully executed your test plan.&nbsp; This setting should not be left disabled!</EM></P><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Sun, 08 Jul 2018 14:03:36 GMT https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37170#M7880 Timothy_Hall 2018-07-08T14:03:36Z https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37171#M7881 <HTML><HEAD></HEAD><BODY><P>Dear Timothy&nbsp;</P><P></P><P>Thanks for your response its work for me.&nbsp;</P></BODY></HTML> Mon, 09 Jul 2018 06:22:12 GMT https://community.checkpoint.com/t5/General-Topics/TCP-packet-out-of-state-First-packet-isn-t-SYN-tcp-flags-SYN-ACK/m-p/37171#M7881 Ramawatar_Maury 2018-07-09T06:22:12Z