AnsweredAssumed Answered

Long-lived TCP connection got timed-out ungracefully. First packet isn't SYN. TCP-Flag: PUSH-ACK

Question asked by Andy Nguyen on Oct 18, 2018
Latest reply on Oct 19, 2018 by Andy Nguyen

Checkpoint Next Generation FW: R80.10

Aggressive aging: enabled

Virtual session timeout: 3600(s)

 

We have a long-lived TCP connection over the Checkpoint gateway firewall. After 1 hour of idle, the connection got timed-out by checkpoint, and on the checkpoint we found the error: "First packet isn't SYN. TCP-Flag: PUSH-ACK"

 

Is this because Checkpoint doesn't drop the connection nicely (not sending the FIN flag to the source) which caused the source keep sending data without initiate a new connection? If it's the case, how can we configure Checkpoint to send FIN to the source when it drops connection and should we do that?

Outcomes