This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DannyCor
Explorer
2 weeks ago

First Packet Isn't SYN drop

I am new to Checkpoint firewall and have been dealing with "First Packet Isn't SYN" issue for the last few weeks. This is happening between interface and one of application server, both server communicate on port 4000. The odd thing I see only first 3 packets are dropped then the 4th allowed to get through.

 

At the moment, I only have access to logs only, not configuration. Any configuration changes need to be communicated with other team.

Anything place I can start to troubleshoot the issue?

 

 

Preview file
61 KB
Preview file
47 KB
0 Kudos
15 Replies
the_rock
Legend
Legend
2 weeks ago

That can sometimes be bit tricky to troubleshoot. I would say, run tcpdump and fw monitor to see whats happening with the traffic. Also, I would do ip r g command to make sure route is right. Say IP is 10.9.8.7, you can run ip r g 10.9.8.7 from the expert mode.

Hope that helps.

Andy

0 Kudos
AkosBakos
Leader Leader
Leader
2 weeks ago

Hi @DannyCor 

  • If you check the name of the incoming interface at the first packet what do you see? (eg.: eth1)
  • The interface is the same by that packet which is dropped?

Here is a screenshot what to check:

2025-01-10 09_22_45-10.211.190.100-R81.20-SmartConsole.png

If not the same, we are facing with asymmetrical routing.

Akos

 

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
2 weeks ago
In response to AkosBakos

Routing usually comes to mind with this sort of error.

0 Kudos
(1)
DannyCor
Explorer
2 weeks ago
In response to the_rock

Both dropped and allowed traffic coming from same interface. 

0 Kudos
DannyCor
Explorer
2 weeks ago
In response to AkosBakos

I checked them, it uses same interface.

0 Kudos
the_rock
Legend
Legend
2 weeks ago

Also, some SKs to consider.

Andy

https://support.checkpoint.com/results/sk/sk107618

https://support.checkpoint.com/results/sk/sk31382

https://support.checkpoint.com/results/sk/sk180253

0 Kudos
DannyCor
Explorer
2 weeks ago

I wanted to add. Tnterface server is communicating with several different application servers located on multiple different VLANs. This issue only happening on this one particular application server.

0 Kudos
AkosBakos
Leader Leader
Leader
2 weeks ago
In response to DannyCor

Check the routing table of the affected server. There will be the problem.

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
Mentor Mentor
Mentor
2 weeks ago

First question is always, are these drops causing any issues? Are there issue reported of this connection flow or you just saw them?

And what is the issue? If they setup new connection is it slow? Or they get timeout after like 1 hour and have to rebuild connection.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
DannyCor
Explorer
2 weeks ago
In response to Lesley

In my case, it causes encoders not responding to PMS requests cutting room keys. 

0 Kudos
AkosBakos
Leader Leader
Leader
2 weeks ago
In response to DannyCor

In this case please check the routing and the interface of the accepted and droppet packet. Itt might help

----------------
\m/_(>_<)_\m/
0 Kudos
Lesley
Mentor Mentor
Mentor
2 weeks ago
In response to DannyCor

Will the request work after some time or they never work? Or it works first few minutes and then stops working after an hour or so? 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
AlekzNet
Contributor
2 weeks ago
In response to Lesley

> Or it works first few minutes and then stops working after an hour or so? 

Or, does it work "right away', then, if no new traffic is passing, does it work after 1 hour?

"Such things"  might happen in, for example, the following cases:

- Asymmetrical routing, when the "reply" packet follows a different path then the "query" one. In this case the connection can not be established.
- New packets after TCP timeout. If there are no packets for 1 hour, the firewall removes the entry from the connection table. If any of the communicating side decides to send more packets, the firewall will drop them with an error "First Packet out of syn".

This can be solved in several ways:
- Just ignore it, if no issues noticed
- Increase the timeout for the service (SmartDashboard)
- Globally increase the TCP timeout for all TCP connections on the firewalls (SmartDashboard)
- Set the TCP heartbeat/keepalives to less than 3600 seconds on the communicating parties (Kernel)
- Configure the firewall to send RST to the parties, when the TCP timeout occurs (Kernel)

Which method to choose - depends on the application, for example, if it can recover from either connection reset or connection timeout.

0 Kudos
DannyCor
Explorer
2 weeks ago
In response to Lesley

After server reboot, I have seen multiple packets allowed to pass, then after sometimes (hours), the FW starts dropping packets again. 

0 Kudos
AlekzNet
Contributor
2 weeks ago
In response to DannyCor

Here we go. Exactly what I said above.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events