Create a Post
Showing results for 
Search instead for 
Did you mean: 

The server replies to the SYN packet of the client, which was accidentally intercepted by the firewa

One of my customers purchased a set of CP-5800 security gateways.

They deployed the security gateway at the data center egress and mapped the intranet server to the Internet for communication through NAT. However, a problem has recently been discovered. The service access occasionally has an access timeout. Use "fw ctl zdebug drop" on the firewall. It is found that the firewall will intercept the SYN packet sent by the server to the client. The reason for the zdebug output is "dropped by fw_tcp_state_verification Reason: SYN on established conn response"

I am wondering why the connection has been established and responded but it will be Drop. Please ask experts to help me answer the reason for Drop.

System version of the security gateway: R80.10
Hotfix version: Take_203
CPU peak single core usage rate: 20%
Peak throughput 30Mbps


0 Kudos
1 Reply

You should only see a TCP SYN packet at the beginning of a connection.
If you see it at any other time during a connection, it would be dropped as that is not expected behavior.
Is the connection previously established or not?
Additional debugs may be needed possibly with TAC assistance.
0 Kudos