This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tlloyd22
Employee
Employee
‎2021-11-03 08:39 AM
Jump to solution

First packet isn't syn

Hey everyone.  I have a new CPGW R81.10 and I have one workstation that's dropping traffic 3 to 4 times a second with the following issue:

TCP packet out of state: First packet isn't SYN

TCP Flags: RST-ACK and FIN-PUSH-ACK

Can this be ignored?  I can't say I'm seeing a perf problem.  Or, should/how can it be fixed?  Thanks all!

 

 

0 Kudos
36 Replies
Jonne_Hannon
Contributor
‎2022-12-06 10:37 PM
In response to skandshus
Jump to solution

It looks like the SecureXL connection still has the correct TCP session timeout, but for some reason the firewall connection timeout gets reduced to 15 seconds:

10.122.21.80 52570 172.28.32.21 80 6 ...A..S............. Destination FIN 3/24 24/3 2 0 3202928558/1670317441 0 32 13.07KB 1s 2m2s 3599/3600


<00000000, 0a7a1550, 0000cd5a, ac1c2015, 00000050, 00000006; 0001e001, 40044080, 00000039, 000001cf, 00000000, 639030bc, 00000005, 9db24937, f54cc138, 00000003, ffffffff, ffffffff, ffffffff,
0000e800, 00000000, 80000000, 00000000, 00000000, b9155808, 00007f8e, 00000000, c2053003, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000, 00000000; 14/15>

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2022-12-07 04:54 AM
In response to Jonne_Hannon
Jump to solution

Is your TCP start timeout 10 seconds?  SecureXL adds 5 seconds to it upon receipt of FIN which would explain where the 15 is coming from, see: sk110672: When a TCP connection ends, its entry in the Connections Table appears with a timeout valu...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Jonne_Hannon
Contributor
‎2022-12-07 02:02 PM
In response to Timothy_Hall
Jump to solution

Thanks for the suggestion.  TCP start timeout is 25 seconds, which I believe is default.  TCP end timeout (R80.20 and higher Gateways) should apply to R81.10, which is 5 seconds.  The connection state is 0001e001 (Destination FIN) with a 15 second end timeout timer.  Under advice from TAC, I have upgraded to JHFA Take 79, but the issue persists after the upgrade.  Disabling SecureXL resolves the issue, but is obviously not a permanent solution.

0 Kudos
Dion-ben
Explorer
‎2022-12-14 04:44 AM
In response to Jonne_Hannon
Jump to solution

Checkpoint has identified this as a problem with a timeout on half closed TCP sessions e.g. one side has send a FIN but the other has not responded with a FIN yet and has a Hotfix in sk180364 

Jonne_Hannon
Contributor
‎2022-12-14 02:49 PM
In response to Dion-ben
Jump to solution

Thanks.  You might have just saved me collecting SecureXL debugs for TAC.  I'll let my Case Engineer know and try the hotfix.

0 Kudos
Jonne_Hannon
Contributor
‎2022-12-14 04:12 PM
In response to Dion-ben
Jump to solution

the workaround in sk180364 does the job as well.  Not sure if I need the hotfix, but will check with TAC.

0 Kudos
Jonne_Hannon
Contributor
‎2023-01-10 03:36 PM
In response to Jonne_Hannon
Jump to solution

I noticed that sk137672 has been updated with added information:
"...Some of the Half closed connections ( DST-FIN ) by default will have 15 seconds timeout starting from the versions mentioned above...."

Looks like this is now considered normal behaviour from the versions listed in the SK article.  What is the rationale behind expiring the half-closed connections so quickly? 

I have been testing the hotfix from sk180364, but I still see the 15 second timeout on DST-FIN firewall connections and out of state packet drops.  I noticed during troubleshooting that there was no fwaccel DST-FIN connection, so maybe the hotfix only removes the DST-FIN connection from the SecureXL connection table.  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events