This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ok1
Participant
Thursday

First packet isn't SYN drop on one site only

Hello Check Point Community!

I’ve encountered the following issue. We have two Maestro sites in two data centers. One site has 1 gateway (there were 2, but currently not added), and the other has 2 gateways. Currently, the setup is working on the first site, which has 1 gateway. Now, we want to add that second gateway to the first site and, accordingly, have redirected traffic to the second site (the one with 2 gateways) via manual failover. However, we’ve run into an issue where, after switching to the second site, we are seeing drop logs saying "First packet isn't SYN" with the TCP push-ACK flag. A custom TCP service is used, and connection synchronization is enabled. Timeout is the default 3600 seconds, where we see no discrepancies in fw ctl conntab output.

We understand this issue might be related to an asymmetric network, but this wasn't a problem before one of the gateways in site 1 had an issue and had to be removed.

Could this issue be caused by the difference in the number of Security Gateway members on the sites?

0 Kudos
5 Replies
the_rock
Legend
Legend
Thursday

Im not Maestro expert by any means (not even close), but I can tell you having seen that message probably more than 200 times, 90% of the time it has to do with routing, as it indicates 3 way handshake is not completing properly.

Andy

0 Kudos
kamilazat
Collaborator
Thursday
In response to the_rock

True and resolvable when it is simply about routing. What about the other 10%? 🙂

It looks like their issue appeared 'out of the blue' after a failover. I remember reading in some SK that sometimes some crashes or failovers can result in deletion of 'some' routes. Though I've no clue how that's even possible.

 

0 Kudos
the_rock
Legend
Legend
Thursday
In response to kamilazat

I cant say for sure if that could happen, as I had never seen it myself 🙂

Andy

0 Kudos
hugothebas
Contributor
Contributor
Thursday

What kind of traffic is this? VPN? Input Connections (those which destination is the gateway itself)?

As @the_rock said, That is very common in Maestro environments, it is probably related to the distribution algorithm, so I would start by checking if the distribution configuration is the same on both sites (show distribution configuration) and also if l4 is enabled or not (show distribution l4-mode).

Thebas.

0 Kudos
emmap
Employee
Employee
Friday

Do you see these for only a few minutes after failover or are they constantly occurring when running on site 2 for a while?

Is there a lot or just a few?

Is the connectivity associated with the drops impacted?

What's your distribution configuration for the interfaces involved? (ingress and would-be egress if they were accepted)

Do you have L4 distribution enabled?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events