CheckMates Fest 2025!
Join the Biggest Event of the Year!
Share your Cyber Security Insights
On-Stage at CPX 2025
Simplifying Zero Trust Security
with Infinity Identity!
Zero Trust Implementation
Help us with the Short-Term Roadmap
CheckMates Go:
What's New in R82
Those captures when combined show both directions but they are for different TCP connections (source port numbers do not match) so the ability to determine what is wrong is limited. I need to see a single capture that has all the packets in both directions for a single connection. So I'll ask again: how are you taking this capture?
It looks like the SYN-ACK is reaching the gateway but being dropped for some reason; I don't see anything wrong with the SYN-ACK itself so it must be a stateful inspection thing that is dropping it. Search your logs for "out of state" drops or run fw ctl zdebug drop.
If this is a high volume transaction without sufficiently diverse source ports, it is possible the occasional failures could be due to source port reuse, see here: sk24960: "Smart Connection Reuse" feature modifies some SYN packets
I'm not willing to speculate further without a full capture of both directions for the same connection. Is this traffic subject to NAT?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
