Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herschel_Liang
Collaborator

TCP packet out of state:Server to client packet of an old TCP connection | TCP Flags:SYN | drop

Network diagram:

Internet                                       Production

Client behind FW     ---->         Border Router(NAT)   ---> CP --->  SFTP Server:TCP22

188.40.191.20                            (one map one)10.50.11.33                 10.30.7.201:22

 

Policy:

  S:10.50.11.33                 D:10.30.7.201                    service:ssh  &&  sshv2       Action:Allow

  S:10.30.7.0/24               D:any                                  service:any                            Action:Allow

 

Client(188.40.191.20) tries to access SFTP Server fail. connect time out.

But I just can see reverse direction logs as below:

Id: ac14481d-9b4b-f025-5fd3-32a26091001b
Marker: @A@@B@1607675798@C@2060526
Log Server Origin: 172.20.72.29
Time: 2020-12-11T08:49:38Z
Interface Direction: inbound
Interface Name: eth1-03
Id Generated By Indexer:false
First: true
Sequencenum: 1164
TCP packet out of state:Server to client packet of an old TCP connection
TCP Flags: SYN
Source: 10.30.7.201
Source Port: 22
Destination: 10.50.11.33
Destination Port: 12288
IP Protocol: 6
Action: Drop
Type: Connection
Policy Name: Standard
Policy Management: SmartCenter
Db Tag: {E8EF89A6-20F4-3044-91ED-72D3DD169570}
Policy Date: 2020-12-10T09:47:02Z
Blade: Firewall
Origin: ICDCFW-1
Service: TCP/12288
Product Family: Access
Logid: 1
Interface: eth1-03
Description: TCP/12288 Traffic Dropped from 10.30.7.201 to 10.50.11.33

 

Who can tell me why and how to solve it?

 

 

0 Kudos
Reply
5 Replies
PhoneBoy
Admin
Admin

Sounds the connection aged out of the connections table.
You can see if Smart Connection Reuse will help but I suspect a TAC case may be required: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Herschel_Liang
Collaborator

Tried the sk24960 solution, but it seems it still exists.

0 Kudos
Reply
JozkoMrkvicka
Leader
Leader

There is dedicated service SFTP which should be used instead of ssh (or sshv2).

Not sure if relevant, but some services (like TFTP) are using ephemeral ports which are required to be opened on the firewall.

Kind regards,
Jozko Mrkvicka
Herschel_Liang
Collaborator

It seems that no SFTP dedicated service in CP.

PhoneBoy
Admin
Admin

Right, because FTP over SSH is still basically over port 22 and the traffic is encrypted the same as regular SSH.