This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
tlloyd22
Employee
Employee
‎2021-11-03 08:39 AM

First packet isn't syn

Hey everyone.  I have a new CPGW R81.10 and I have one workstation that's dropping traffic 3 to 4 times a second with the following issue:

TCP packet out of state: First packet isn't SYN

TCP Flags: RST-ACK and FIN-PUSH-ACK

Can this be ignored?  I can't say I'm seeing a perf problem.  Or, should/how can it be fixed?  Thanks all!

 

 

0 Kudos
9 Replies
Timothy_Hall
Champion
Champion
‎2021-11-05 10:13 AM

Generally you can ignore FIN and RST packets that are dropped out of state unless they are conclusively linked to a specific problem.  This is typically caused by the connection not being closed gracefully by one side or the other, see my post here:

https://community.checkpoint.com/t5/General-Topics/First-packet-isn-t-SYN/m-p/7027/highlight/true#M7...

 

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
maad-pul
Participant
‎2022-02-28 12:18 PM

Hi,

Did you find anyting related to this issue? I have also seen those packets dropped after upgrading to R81.10 TAKE30.
I haven´t seen any drops related to TCP Flags: RST-ACK and FIN-PUSH-ACK before upgrade R80.40. 

 

My problem is that I have performance issues related to flows where I see errors in logs.

I have disabled HTTPS Inspection which seems to solve the issue. 
 

 

0 Kudos
tlloyd22
Employee
Employee
‎2022-02-28 01:24 PM
In response to maad-pul

After seeing Tim Hall's post and reading through, I chose to ignore the errors since I didn't see a performance issue.  Sorry I'm not more helpful...good luck!

0 Kudos
the_rock
Champion
Champion
‎2022-02-28 01:27 PM
In response to maad-pul

Are you seeing any performance impact, dropped traffic? If so, then I would be concerned...if not, then I would not worry much.

0 Kudos
maad-pul
Participant
‎2022-02-28 01:51 PM
In response to the_rock

Hi,

Yes! This weekend we upgraded to lastest R81.10 GA,  I´m having users reported "slow web browsning" today, I found in logs a lot of dropped packet related to tcp/443, which haven¨t been there before. 


TCP packet out of state: First packet isn't SYN
TCP Flags: RST-ACK and FIN-PUSH-ACK

I quick fix, just to now whats goding on was to disable HTTPS Inspection for that VS. Logs dissapeard and users reported good web browsing performance after that. The Logs are from the FW-blade and not HTTPS Inspection.

0 Kudos
the_rock
Champion
Champion
‎2022-02-28 01:56 PM
In response to maad-pul

You may need to debug wstlsd process for https inspection, when its enabled.

0 Kudos
skandshus
Collaborator
‎2022-02-28 02:47 PM

I am seeing a LOT of those too in my ubiquiti unifi controller where connection status/heartbeats then gets time out and throwing me an Alert of a device disconnecting even though it’s working fine. It’s so annoying.. never had that issue before checkpoint unfortunately 😞

0 Kudos
the_rock
Champion
Champion
‎2022-02-28 10:11 PM
In response to skandshus

I would open TAC case for it to have them verify, specially given the fact it causes traffic issues.

0 Kudos
maad-pul
Participant
‎2022-03-01 12:57 AM
In response to the_rock

Hi!

I will do that, I just need to verify Hyperthreading (SMT/HT) enabling i BIOS for the HPE-server.  I don´t know if thats setting was enabled in last update to R80.40, but support seems to be removed. 

See https://community.checkpoint.com/t5/Security-Gateways/Attention-HyperThreading-SMT-support-for-Open-....

0 Kudos