This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
batmunkh_unubuk
Contributor
‎2017-10-03 07:44 PM
Jump to solution

First packet isn't SYN

my gateway R80.10 and multicast cluster working. but internet is very slow and didnot drop any packet. 

only one drop packet is below picture. how can i solve this issue?

1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2017-10-05 07:12 AM
Jump to solution

If I see an "out of state" error and the TCP flags involved are FIN and/or RST, I generally ignore them as they tend to be harmless in the majority of cases.  It simply indicates that the subject connection was not terminated cleanly as far as the firewall is concerned; this can be caused by many things including poorly-written applications and transient network and/or system problems.  However if these "out of state" logs for RST/FIN are conclusively correlated with application performance problems, TCP state logging (sk101221) and sending a TCP RST upon connection expiration (sk19746) can be useful here.  The former SK was covered in my book, while the latter SK was mentioned in the addendum to my book available for free at the URL below.

 

But the following combinations in an "out of state" error message will tend to get my attention:

 

SYN-ACK - Strong indicator of asymmetric routing on the forward path (from the connection's perspective), where the firewall is only seeing the return direction of the TCP 3-way handshake.

 

ACK all by itself - Probably asymmetric routing on the return path (from the connection's perspective).

 

ACK accompanied by PSH (or perhaps just ACK by itself) - The connection was timed out by the firewall due to inactivity. 

 

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2017-10-03 09:50 PM
Jump to solution

For TCP connections, the first packet the Security Gateway expects to see is a TCP SYN.

This packet would then be evaluated by the rulebase to determine whether or not the connection is permitted.

If it sees a TCP packet that is not a SYN and it can be associated with an existing allowed connection, then the packet will pass.

In the case where the TCP packet is NOT a SYN and cannot be associated with an existing connection, you see this error.

If you search on the phrase "First packet isn't SYN" in SecureKnowledge, there are several possible reasons this might occur.

In your case, it looks like a FIN-ACK packet has been received.

These are associated with closing a TCP connection gracefully.

The Security Gateway had already aged out the connection from the connections table, which happens after the TCP End Timeout (40 seconds by default, as I recall).

dorj_erdeneochi
Explorer
‎2017-10-03 10:06 PM
In response to PhoneBoy
Jump to solution

How can we resolve this ? do we increase the TCP end timeout?  

0 Kudos
Danny
Champion Champion
Champion
‎2017-10-03 10:50 PM
In response to dorj_erdeneochi
Jump to solution

Yes, this would be an option to consider and try.

Another option would be configuring and exception as described in sk11088 with sk98239.

Marco_Valenti
Advisor
‎2017-10-04 12:40 AM
In response to dorj_erdeneochi
Jump to solution

create a new service for the interested connections and increase his session timeout if it is really needed

do not modify stateful inspection settings or any file on your management

MK9
Contributor
‎2017-10-04 12:00 AM
Jump to solution

I would first check routing. Make sure, out and in packets use same route and same checkpoints inerface.

Timothy_Hall
Legend Legend
Legend
‎2017-10-05 07:12 AM
Jump to solution

If I see an "out of state" error and the TCP flags involved are FIN and/or RST, I generally ignore them as they tend to be harmless in the majority of cases.  It simply indicates that the subject connection was not terminated cleanly as far as the firewall is concerned; this can be caused by many things including poorly-written applications and transient network and/or system problems.  However if these "out of state" logs for RST/FIN are conclusively correlated with application performance problems, TCP state logging (sk101221) and sending a TCP RST upon connection expiration (sk19746) can be useful here.  The former SK was covered in my book, while the latter SK was mentioned in the addendum to my book available for free at the URL below.

 

But the following combinations in an "out of state" error message will tend to get my attention:

 

SYN-ACK - Strong indicator of asymmetric routing on the forward path (from the connection's perspective), where the firewall is only seeing the return direction of the TCP 3-way handshake.

 

ACK all by itself - Probably asymmetric routing on the return path (from the connection's perspective).

 

ACK accompanied by PSH (or perhaps just ACK by itself) - The connection was timed out by the firewall due to inactivity. 

 

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
HeikoAnkenbrand
Champion Champion
Champion
‎2018-07-07 06:13 AM
Jump to solution

The issue with FIN-ACK can also arise if you have software blades (HTTPS interception,...) on that check the content.

For HTTPS see:

TCP [FIN-ACK] packets for HTTPS traffic are dropped as out-of-state after enabling HTTPS Inspection 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top