TCP packet out of state

[james.mathieson]

Hi all,

I'm having a few issues with checkpoint and was wondering if anyone has any advice.

I have a server, that keeps giving me the following message on tracker, "TCP packet out of state. First packet isn't SYN tcp_flags: PUSH-ACK"

This server I believe is initiating the connection to the destination server for authentication. After a few attempts, everything works and gets let through the firewall.

We are using NGX R60 and this is running on NOKIA boxes with IPSO, but am not sure which version as I don't have access to the boxes at the moment.

Are there any known issues for this?

Kind regards

James

[melipla]

RE: [fw1-gurus] TCP packet out of state: First packet isn't SYN

It references gateway clusters with a sync network that is under load, not sure if that applies but the settings may be worth checking:

Quote:

When the synchronization mechanism is under load, TCP packet out-of-state error messages may appear in the information column of SmartTracker. This section explains how to resolve each error.

TCP packet out of state - first packet isn't SYN tcp_flags: FINACK
TCP packet out of state - first packet isn't SYN tcp_flags: FINPUSH-ACK

These messages occur when a FIN packet is retransmitted after deleting the
connection from the connection table.

To solve the problem, in the SmartDashboard Global properties for Stateful
Inspection, enlarge the TCP end timeout from 20 seconds to 60 seconds. If necessary, also enlarge the connection table so it won't get full.

[james.mathieson]

Hi,

Unfortunately the timeout is at that value already as I was just looking. The server involved that is related to these problems has two network cards on different networks, so I'm wondering if the server is getting confused about which interface to use.

Just a thought.

Many thanks for your reply.

James

[jacobsen]

Hi,

I had the same issue.
I've figuered out, that disabling SecureXL lowers the amount of "tcp out of state" pretty much.

fwaccel stat
fwaccel off

give it a try.

hopefully it's better with R65.

[synick]

Can this error be related to something other than Cluster State Sync?

I have had a similar error with a server trying to access a database server, Traffic coming one way is fine, coming back it gets blocked on a different with this error.

Found out that the DB server was holding connections open for a long time, and when traffic came in it was using a held port to communicate back. That port is being block on the FW.

[melipla]

Quote:

Originally Posted by synick

Found out that the DB server was holding connections open for a long time, and when traffic came in it was using a held port to communicate back. That port is being block on the FW.

If the reply back is being held long enough, it could be considered out of state. You might consider adjusting timeout values found under Smart Dashboard -> Policy -> Global Properties -> Stateful Inspection. Althought normally the default values are good. Ideally you'd improve the performance of your DB cluster so that the response is not delayed.