This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_M
Participant
‎2021-11-29 11:53 PM

First packet isn't SYN errors

Hello,

We are running R80.40 Jumbo HF Take #125 and LDAPS connection going through the firewall is getting disconnected after two hours, and we can see that a lot of "First packet isn't SYN" errors being logged, and these traffic are being blocked.

What could be the cause of this problem, is there a way of configuring the firewall to ignore the SYN error and just let the traffic flow through between the LDAPS client and server, or can one create a specific rule for just the LDAPS connection to ignore this SYN error and allow the traffic through ?

 

Regards 

P_M

 

0 Kudos
4 Replies
Bob_Zimmerman
Authority
Authority
‎2021-11-30 01:14 PM

Stateful firewalls track connections in a state table. This table is limited by the memory in the device. To help get rid of irrelevant junk entries (like connections from a laptop which has been put to sleep for the day, and which won't use them again), the state table entries have a timeout. If no traffic is seen on a given connection in a certain amount of time (by default, 40 seconds for UDP or an hour for TCP), the entry is removed from the table. If the endpoints then try to send traffic on the same connection, the firewall drops it with the message you see.

You should set the endpoints to send keepalive traffic. This will refresh the entry in the state table so it won't be removed unless the endpoints actually stop talking.

the_rock
Legend
Legend
‎2021-11-30 04:24 PM

@Bob_Zimmerman explained it perfectly, I really have nothing else to add. 

 

Yuri_Slobodyany
Collaborator
‎2021-11-30 10:56 PM

In my many years debugging Checkpoints I am yet to see "First packet isn't SYN" where the firewall is the culprit - so far it has always been the apps. Usually, it is either intermittent asymmetric routing  or timeouts/keepalives the app doesn't send. 

Once upon a time you could "solve" such problems by turning off Stateful Inspection for TCP packets in Global properties, but for the whole firewall, brr. And I actually saw people doing it, but it means you basically turn off firewall for the most part and I am not sure it is possible in newer versions anymore.

So as others have already said - look closer into the application traffic.

https://www.linkedin.com/in/yurislobodyanyuk/
JanVC
Collaborator
‎2021-12-01 04:10 AM
In response to Yuri_Slobodyany

if your gateway is under heavy load (memory shortage +80% used), aggressive aging will clear connections in the conntable faster then the actual timeout causing the first packet isn't SYN error

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events