Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Meaning of flag in packet dropped

Jump to solution

Hello Checkmate,

Please who tell me what is meaning of flag below:

This log saying that this TCP session is timeout and packet is dropped. But I'm not sure that RST-ACK/RST flag below , is send from Server or Client or  from Firewall

IF it is from firewall; send to both side (client & Server) ? and what is the purpose for sending this flag?

IF it is from Server ( or client) , is purpose that: tell other end-point to close connection?

Is type of packet with this flag impact performance of network?

 

flag.png

flag2.png

THANK A LOT!!!

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Champion
Champion

Please see my post here for an explanation of what TCP flags in a log entry like this are significant, and which can be ignored:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7021

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

View solution in original post

4 Replies
Highlighted
Champion
Champion

Please see my post here for an explanation of what TCP flags in a log entry like this are significant, and which can be ignored:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7021

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com

View solution in original post

Highlighted
Contributor

Thank sir,

I've checked my firewall , it is configured to send RST packet upon expiration session. So this is reason I saw RST flag on my log.

One more question about RST-ACK flag in first picture: I'm not sure whether this flag is come from ? or it also generated by firewall.

 

Thanks again!

 

 

 

 

 

0 Kudos
Highlighted
Champion
Champion

Explain what ? The referred article contains the complete picture - and how TCP connections work should be clear to you anyway...

0 Kudos
Highlighted
Champion
Champion

Looking at your screenshot it appears that BD_ originally initiated a connection to FO_ on destination TCP port 5703 and source port 53049.  BD_ appears to have originated the RST to FO_ (not the firewall itself), but it was blocked by the firewall since the connection was probably already dead on the firewall (i.e. no longer recorded in the connections state table).  As mentioned in my linked article this RST drop situation can generally be ignored since BD_ is quite aware that the connection is dead (its sending a RST), the firewall is aware too (has no connections table entry), so it is now up to FO_ to figure out the connection is dead, but it may have already done so anyway.  No way to tell for sure about the state of FO_ here.

 

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com