This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
arcotangente
Participant
‎2020-05-15 04:13 AM

'TCP packet out of state' drops

Hi guys,

We are troubleshooting an issue and see many HTTPS packets dropped with the following message in the logs:

'TCP packet out of state -First packet isn't SYN'

I've tried to disable this protection for one specific source, so open Inspection settings, and added an Exception for this specific source IP (all protections, profiles and destinations)

However I still see packets being dropped with the same message in the logs. 

Is there a way to bypass an specific source or destination of this protection? 

Thanks

4 Replies
Timothy_Hall
Champion
Champion
‎2020-05-15 05:56 AM

What TCP flags (RST, FIN, ACK, etc.) are you seeing on the packets dropped as out of state?  If they are RST or FIN the connection is already dead so you can probably ignore those.  If the flags on the dropped packets are SYN and ACK (or perhaps just ACK), that may indicate asymmetric routing going around the firewall.  If the flags on the dropped packet are some combo of only ACK/PSH/URG usually that means the connection was timed out by the firewall, in that case you can try increasing the service timeout for HTTPS on the Advanced screen of the matching HTTPS service.

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
arcotangente
Participant
‎2020-05-15 06:33 AM
In response to Timothy_Hall

Thanks Timothy,

The flags are 'PUSH-ACK'

BR

0 Kudos
Timothy_Hall
Champion
Champion
‎2020-05-15 07:25 AM
In response to arcotangente

Try increasing the timeout for the HTTPS service on its Advanced screen, and make sure you modify the correct HTTPS/port 443 service that is actually matching the problematic traffic as there may be several defined.

Updated 2023 IPS/AV/ABOT R81.20 Course now
available at maxpowerfirewalls.com
arcotangente
Participant
‎2020-05-20 03:19 AM
In response to Timothy_Hall

Hi,

Finally the issue got fixed after a reboot of the secondary node, while troubleshooting another issue. Difficult to understand what happened

 

Thanks anyway!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫