Support Center > Search Results > SecureKnowledge Details
Multiple drop logs "First packet isn't SYN" for TCP port 15105 or port 28581 on VSX cluster member with enabled Identity Sharing Technical Level
Symptoms
  • Multiple "First packet isn't SYN" drop logs in SmartView Tracker for TCP port 15105 or 28581 from VSX cluster member with enabled Identity Sharing.

  • Kernel debug ('fw ctl debug -m fw + drop') on VSX cluster member confirms these drops of Identity Sharing packets:
    ;fw_log_drop_ex: Packet proto=6 X.X.X.X:28581 -> X.X.X.X:Port dropped by fw_first_packet_state_checks Reason: First packet isn't SYN;

  • Traffic capture shows that Virtual System in Backup state sends these Identity Sharing packets on TCP port 15105 or 28581 to Virtual Systems in Active state running as PEP.

  • There are no issues related to asymmetric routing, or reaching a limit of kernel tables.

Cause

Virtual System in Backup state sends Identity Sharing packets to Virtual Systems in Active state running as PEP.

Virtual Systems in Active state running as PEP respond with TCP SYN-ACK packet.

Virtual Systems in Active state running as PEP send the same TCP SYN-ACK packet to Virtual Systems in Active state running as PDP, which drop this packet because it is out-of-state (since this TCP connection was never originated from the Active PDP).


Solution
Note: To view this solution you need to Sign In .