Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
minhhaivietnam
Collaborator
Jump to solution

Meaning of flag in packet dropped

Hello Checkmate,

Please who tell me what is meaning of flag below:

This log saying that this TCP session is timeout and packet is dropped. But I'm not sure that RST-ACK/RST flag below , is send from Server or Client or  from Firewall

IF it is from firewall; send to both side (client & Server) ? and what is the purpose for sending this flag?

IF it is from Server ( or client) , is purpose that: tell other end-point to close connection?

Is type of packet with this flag impact performance of network?

 

 

THANK A LOT!!!

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Champion
Champion

Please see my post here for an explanation of what TCP flags in a log entry like this are significant, and which can be ignored:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7021

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

4 Replies
Timothy_Hall
Champion
Champion

Please see my post here for an explanation of what TCP flags in a log entry like this are significant, and which can be ignored:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7021

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
minhhaivietnam
Collaborator

Thank sir,

I've checked my firewall , it is configured to send RST packet upon expiration session. So this is reason I saw RST flag on my log.

One more question about RST-ACK flag in first picture: I'm not sure whether this flag is come from ? or it also generated by firewall.

 

Thanks again!

 

 

 

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

Explain what ? The referred article contains the complete picture - and how TCP connections work should be clear to you anyway...

CCSE CCTE CCSM SMB Specialist
0 Kudos
Timothy_Hall
Champion
Champion

Looking at your screenshot it appears that BD_ originally initiated a connection to FO_ on destination TCP port 5703 and source port 53049.  BD_ appears to have originated the RST to FO_ (not the firewall itself), but it was blocked by the firewall since the connection was probably already dead on the firewall (i.e. no longer recorded in the connections state table).  As mentioned in my linked article this RST drop situation can generally be ignored since BD_ is quite aware that the connection is dead (its sending a RST), the firewall is aware too (has no connections table entry), so it is now up to FO_ to figure out the connection is dead, but it may have already done so anyway.  No way to tell for sure about the state of FO_ here.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events