This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Teddy_Brewski
Collaborator
a week ago

Lots of First packet isn't SYN

Hello,

R81.20 Take 92 running on open servers.

We're experiencing a lot of First packet isn't SYN drops which also seem to affect legitimate traffic (HTTPS and RDP).

The TCP flag is almost always PUSH-ACK with occasional ACK.

It's not happening all the time, but only during peak hours, hence it seems to be linked to the load. Perhaps it's worth mentioning but it's also happening to the devices that act as proxies (for example Sophos ZTNA). Direct RDP connections from a server/workstation A to a server/workstation B work flawlessly, but connections from ZTNA gateways get occasionally interrupted (with First packet isn't SYN PUSH-ACK logged) and users experience disconnections and must reconnect.

From the application perspective, we see the following in the logs:

Reading from WebSocket failed. websocket: close 1006 (abnormal closure): unexpected EOF","time

The gateway has plenty of RAM (64GB) and CPU load is around 35-45%. The number of concurrent connections is around 25-30K during peak hours, with 55K configured as a maximum value.

What we tried so far:

- increase the timeout for RDP and HTTPS;
- disable "Smart Connection Reuse" feature;
- install the latest Take;
- fail-over to the standby and reboot.

Thank you in advance for any tips and hints!

0 Kudos
30 Replies
Teddy_Brewski
Collaborator
Wednesday
In response to spottex

Hello @spottex 

It does. It hits external VSX, then internal (regular) firewall.

We did try to disable Connection Reuse feature on internal firewall, however, it didn't help.

To reduce the number of variables, we replicated the setup on internal firewall only and still experienced the same disconnections, so decided to focus on internal gateway only for the moment.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events