cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

I have 5600 appliance running on Gaia R77.30 that is behind Sophos IPS and Sophos IPS is in bridge mode.

I am installing all latest hot fix but issue is still same some website is not accessible and in SmartView tracker that is showing TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" .@

 

5 Replies

Re: TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

You might need to start by traffic captures and check the traffic flow after that you might start looking at timers for tcp connection.

0 Kudos

Re: TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

Please see my response in the thread below for guidance about how to troubleshoot this message:

https://community.checkpoint.com/message/9300-re-first-packet-isnt-sync?commentID=9300#comment-9300 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

Dear Timothy

Thanks for your response i am trying all these step but issue is still same i am also trying to remove Sophos FW and terminate cable directly on  Checkpoint 5600 appliance unmark URL filtering blade create one policy that is source LAN destination any services any allow with log enable.

0 Kudos

Re: TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

If I'm understanding your reply correctly, you are removing a Sophos firewall and trying to replace it with a Check Point.  The instant the Check Point is connected you will get a flurry of "out of state" messages, since all the existing connections at the time of replacement are not known to the Check Point, and by default will be dropped. 

You can blunt the impact of this replacement by unchecking "Drop out of state TCP packets" under Global Properties...Stateful Inspection and reinstalling policy to the firewall prior to the cutover.  Unchecking this box will cause the firewall to attempt to "resurrect" the existing connections back into the state table and allow them to continue.  You can also switch off the dropping of out of state TCP packets "on the fly" by running this command on the gateway: fw ctl set int fw_allow_out_of_state_tcp 1

Do not forget to recheck the "Drop out of state TCP packets" checkbox once the firewall replacement is complete and you have successfully executed your test plan.  This setting should not be left disabled!

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos

Re: TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker

Dear Timothy 

Thanks for your response its work for me. 

0 Kudos