Support Center > Search Results > SecureKnowledge Details
Connections are dropped as Out-of-State after some idle time when SecureXL is enabled
Symptoms
  • Connections are dropped as Out-of-State after some idle time when SecureXL is enabled.

    SmartView Tracker log shows:

    Type = Log
    Action = Drop
    Protocol = tcp
    Information = TCP packet out of state: First packet isn't SYN
    Product = Security Gateway/Management
    Product Family = Network
    
  • SecureXL debug ('fwaccel dbg -m general + offload') shows:

    ;get_conn_idle_timeout: idle timeout (XXXs) too big for device to detect (max. 43200s). Not offloading with idle_timeout.;
Cause

Session Timeout for a service is set to a value greater than the maximal SecureXL timeout of 43200 seconds, and the connection was processed by SecureXL based on Template with PSL.

After period of PSL expiration, the PSL data is deleted because the connection was not notified to the Firewall.
Therefore, the next packet for this connection will be Forwarded to Kernel (F2F). Since no PSL data exists, the Firewall will drop this connection as Out-of-State because no notification was received for it.


Solution
Note: To view this solution you need to Sign In .