Support Center > Search Results > SecureKnowledge Details
TCP packets are not dropped as Out-of-State when SecureXL is enabled
Symptoms
  • When SecureXL is enabled, TCP packets that are received several seconds after the TCP connection is set to expire are accepted instead of being dropped as out of state.

    Example:

    • 'TCP start timeout' is set to 25 seconds (SmartDashboard - 'Policy' menu - 'Global Properties...' - 'Stateful Inspection' pane)
    • RST-ACK packet sent 30 seconds after the last SYN-ACK packet is accepted, although should be dropped
    • RST-ACK packet sent 40 seconds after the last SYN-ACK packet is dropped as expected
Cause

By default, SecureXL waits for 10 seconds from the moment it receives a last TCP packet before timing out the TCP connection. If the last TCP packet arrived within these 10 seconds, the new timeout would be set again to the configured 'TCP start timeout'.


Solution
Note: To view this solution you need to Sign In .