Re: Getting drops for the traffic stating first pa...

abhishek2126 · ‎2023-07-21

Hi,

I am seeing traffic dropped, stating first packet is not a syn.

Can someone clarify why its happening? A screenshot is attached.

PhoneBoy · ‎2023-07-21

The message is explained here: https://support.checkpoint.com/results/sk/sk31382

the_rock · ‎2023-07-21

That error is essentially fancy way CP "tells" you that 3-way handshake is not completing. You need to run packet captures (tcpdump and fw monitor) to see whats is happening with the traffic.

Lets pretend (for this example) that src is 1.1.1.1 and dst is 2.2.2.2 and port is 443

You could run below:

tcpdump -enni any host 1.1.1.1 and host 2.2.2.2 and port 443

fw monitor -e "accept host(2.2.2.2) and port(443);"

fw monitor -F "1.1.1.1,0,2.2.2.2,443,0" -F "2.2.2.2,0,1.1.1.1,443,0"

idea is srcip,srcport,dstip,dstport,protocol...so you can have as many -F flags this way

Hope that helps.

Andy

Chris_Atkinson · ‎2023-07-21

Which version & JHF is the gateway?

There are many previous threads here discussing different solutions be it due to asymmetric routing, aggressive aging, bugs or otherwise.

CCSM R77/R80/ELITE

the_rock · ‎2023-07-21

@Chris_Atkinson makes an excellent point as well. If I were you, I would upgrade to R81.10 jumbo 95 if you can, that mind you if your gateways are on R80.40. If you are already on R81.10, then your next steps are things we suggested.

Andy

Are you a member of CheckMates?

Getting drops for the traffic stating first packet is not a syn