Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jonathan
Contributor

Many TCP First-Packet-isn't-SYN drops after upgrade to R81.10

Hi,

After upgrading from R80.20 to R81.10 we see many many TCP drops in the logs from many servers.

Drops are First Packet Isn't SYN with TCP flags are mostly FIN-ACK, ACK.

No performance or other issue with these servers.

We've never had these drops on R80.20 from these servers, and we haven't changed any topology when upgraded.

I suspect it's just cosmetic or a new logging feature issue, but not sure...

I've noticed a checkbox under Global Properties -> Stateful Inspection -> "Log on drop". I don't know if it was checked before the upgrade, maybe it explains the issue?

TCPDrops.JPG

One thing to mention, not sure it's related - upgrade is not finished yet, we have one member upgraded and the other one is still running R80.20 but is not functioning (cpstop), so the cluster is actually broken at the moment.

 

Thanks

 

0 Kudos
6 Replies
Chris_Atkinson
Employee
Employee

I would advise completing the upgrade and seeing if the issue persists with Jumbo T45 or later applied.

There have been situations where similar symptoms were reported and linked to:

PRJ-30820,
PRHF-19417

SecureXL

In a rare scenario, after an upgrade, HTTPS traffic may be dropped.

 

0 Kudos
Jonathan
Contributor

Hi Chris,

I'm on the latest JHF (take 66). We don't have HTTPS inspection of this traffic, and also it happens on other services and ports other than 443.

I will wait however until we finish with the upgrade, probably next Sunday, and will update if it's resolved.

Thanks

0 Kudos
Chris_Atkinson
Employee
Employee

Noted. There are other possible causes for these messages as the other discussion suggests. 😃

0 Kudos
Jonathan
Contributor

Hi,

So upgrade is all finished, but issue is the same.

Only noticable change is that 99% of the logs now have TCP Flag: RST-ACK, which I know is generally normal to see. I just don't understand how come we never saw it prior to the upgrade and how to stop seeing it in logs.

 

0 Kudos
skandshus
Collaborator

seeing the same thing "all of the sudden" No solution so far.

0 Kudos
laurent_ragon
Explorer

HI,

 

Check this sk: sk137672 - How to change the 'TCP Half Closed timer' value.

with this solution we can improve the TCP close session processus.

0 Kudos