First packet isn't SYN errors


We are running R80.40 Jumbo HF Take #125 and LDAPS connection going through the firewall is getting disconnected after two hours, and we can see that a lot of "First packet isn't SYN" errors being logged, and these traffic are being blocked.

What could be the cause of this problem, is there a way of configuring the firewall to ignore the SYN error and just let the traffic flow through between the LDAPS client and server, or can one create a specific rule for just the LDAPS connection to ignore this SYN error and allow the traffic through ?





Stateful firewalls track connections in a state table. This table is limited by the memory in the device. To help get rid of irrelevant junk entries (like connections from a laptop which has been put to sleep for the day, and which won't use them again), the state table entries have a timeout. If no traffic is seen on a given connection in a certain amount of time (by default, 40 seconds for UDP or an hour for TCP), the entry is removed from the table. If the endpoints then try to send traffic on the same connection, the firewall drops it with the message you see.

You should set the endpoints to send keepalive traffic. This will refresh the entry in the state table so it won't be removed unless the endpoints actually stop talking.


@Bob_Zimmerman explained it perfectly, I really have nothing else to add. 



In my many years debugging Checkpoints I am yet to see "First packet isn't SYN" where the firewall is the culprit - so far it has always been the apps. Usually, it is either intermittent asymmetric routing  or timeouts/keepalives the app doesn't send. 

Once upon a time you could "solve" such problems by turning off Stateful Inspection for TCP packets in Global properties, but for the whole firewall, brr. And I actually saw people doing it, but it means you basically turn off firewall for the most part and I am not sure it is possible in newer versions anymore.

So as others have already said - look closer into the application traffic.

if your gateway is under heavy load (memory shortage +80% used), aggressive aging will clear connections in the conntable faster then the actual timeout causing the first packet isn't SYN error


