Support Center > Search Results > SecureKnowledge Details
"First packet isn't SYN" drop logs in SmartView Tracker for TCP traffic from ClusterXL in Load Sharing Unicast mode with enabled SecureXL
Symptoms
  • "First packet isn't SYN" drop logs in SmartView Tracker for TCP traffic.

  • Kernel debug ('fw ctl debug -m fw + drop conn') on cluster members shows:
    • ;fw_log_drop_ex: Packet proto=6 Source_IP:Source_Port -> Dest_IP:Dest_Port dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;
    • ;FW-1: fw_log_tcp_out_of_state: reason First packet isn't SYN. th_flags 0x11;
    • ;FW-1: fw_log_tcp_out_of_state: reason First packet isn't SYN. th_flags 0x12;
    • ;FW-1: fw_log_tcp_out_of_state: reason First packet isn't SYN. th_flags 0x14;
    • ;FW-1: fw_log_tcp_out_of_state: reason First packet isn't SYN. th_flags 0x18;
  • Issue occurs in the following scenario (all these conditions must exist):

    • ClusterXL in Load Sharing Unicast mode
    • SecureXL is enabled
    • IPS blade is enabled
    • NAT rules are configured for the involved traffic
  • Connection is expired in 25 seconds

    • ;fwconn_ent_expire: [now=xxxxxxxx] conn Dest_IP:Dest_Port IPP 6> is expired
    • ;fwconn_ent_expire: SXL/FLOWS decision: expire, new timeout=0, new ttl=0
  • Disabling SecureXL resolves the issue.

Cause

Asymmetric connections that were created as a result of NAT rules and that should be inspected by IPS (Medium Path), could be dropped as Out of State in ClusterXL Load Sharing Unicast with enabled SecureXL due to mismatch in the state of these TCP connections between FireWall and SecureXL.


Solution
Note: To view this solution you need to Sign In .