This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DannyCor
Explorer
yesterday

First Packet Isn't SYN drop

I am new to Checkpoint firewall and have been dealing with "First Packet Isn't SYN" issue for the last few weeks. This is happening between interface and one of application server, both server communicate on port 4000. The odd thing I see only first 3 packets are dropped then the 4th allowed to get through.

 

At the moment, I only have access to logs only, not configuration. Any configuration changes need to be communicated with other team.

Anything place I can start to troubleshoot the issue?

 

 

Preview file
61 KB
Preview file
47 KB
0 Kudos
7 Replies
the_rock
Legend
Legend
yesterday

That can sometimes be bit tricky to troubleshoot. I would say, run tcpdump and fw monitor to see whats happening with the traffic. Also, I would do ip r g command to make sure route is right. Say IP is 10.9.8.7, you can run ip r g 10.9.8.7 from the expert mode.

Hope that helps.

Andy

0 Kudos
AkosBakos
Leader Leader
Leader
9 hours ago

Hi @DannyCor 

  • If you check the name of the incoming interface at the first packet what do you see? (eg.: eth1)
  • The interface is the same by that packet which is dropped?

Here is a screenshot what to check:

2025-01-10 09_22_45-10.211.190.100-R81.20-SmartConsole.png

If not the same, we are facing with asymmetrical routing.

Akos

 

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
5 hours ago
In response to AkosBakos

Routing usually comes to mind with this sort of error.

0 Kudos
the_rock
Legend
Legend
3 hours ago

Also, some SKs to consider.

Andy

https://support.checkpoint.com/results/sk/sk107618

https://support.checkpoint.com/results/sk/sk31382

https://support.checkpoint.com/results/sk/sk180253

0 Kudos
Lesley
Mentor Mentor
Mentor
an hour ago

First question is always, are these drops causing any issues? Are there issue reported of this connection flow or you just saw them?

And what is the issue? If they setup new connection is it slow? Or they get timeout after like 1 hour and have to rebuild connection.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
DannyCor
Explorer
an hour ago
In response to Lesley

In my case, it causes encoders not responding to PMS requests cutting room keys. 

0 Kudos
AkosBakos
Leader Leader
Leader
an hour ago
In response to DannyCor

In this case please check the routing and the interface of the accepted and droppet packet. Itt might help

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events