TCP packets are not dropped as Out-of-State when SecureXL is enabled

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk104557
Technical Level
Product	SecureXL
Version	R75, R76, R77, R77.10, R77.20, R77.30
OS	Gaia, Gaia Embedded, SecurePlatform 2.6, Crossbeam XOS, IPSO 6.2
Platform / Model	All
Date Created	05-Feb-2015
Last Modified	15-Oct-2018

Symptoms

When SecureXL is enabled, TCP packets that are received several seconds after the TCP connection is set to expire are accepted instead of being dropped as out of state.

Example:
- 'TCP start timeout' is set to 25 seconds (SmartDashboard - 'Policy' menu - 'Global Properties...' - 'Stateful Inspection' pane)
- RST-ACK packet sent 30 seconds after the last SYN-ACK packet is accepted, although should be dropped
- RST-ACK packet sent 40 seconds after the last SYN-ACK packet is dropped as expected

Cause

By default, SecureXL waits for 10 seconds from the moment it receives a last TCP packet before timing out the TCP connection. If the last TCP packet arrived within these 10 seconds, the new timeout would be set again to the configured 'TCP start timeout'.

Solution

Note: To view this solution you need to Sign In .