Support Center > Search Results > SecureKnowledge Details
"TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" drop log when SecureXL and Application Control / URL Filtering blade are enabled on Security Gateway in Bridge mode
Symptoms
  • Traffic is dropped with "TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker in the following scenario:

    • Security Gateway is configured in Bridge mode
    • SecureXL is enabled
    • Topology:
      Client --- (physical non-Bridge interface ethZ) [GW in Bridge mode] (Bridge interface BrN on ports ethX,ethY) --- Server
    • Traffic Flow:
      Connection from Client arrives to Security Gateway at physical non-Bridge interface ethZ
      Connection to Server leaves the Security Gateway from Bridge interface port ethX
    • Application Control blade / URL Filtering blade is enabled
  • SecureXL SIM debug shows that when SecureXL SIM devices tries to accelerate a packet that arrived at physical non-Bridge interface, the accelerated packet is cut through to the Bridge interface Br<N> instead of Bridge interface port ethX:

    Debug modules and flags:

    fw ctl debug -m fw + packet
    sim dbg -m pkt + pkt acct
    sim dbg -m drv + deliver

    *Note: In R80.20 sim dbg is replaced with fwaccel dbg

    Relevant lines in debug output:

    ;[SIM...]handle_inbound_packet: got packet on VSID=0 (ifnum=Number of Physical non-Bridge interface ethZ);
    ;[SIM...]do_inbound: got packet 0x... on cpu 0 of <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6>(vsid=0);
    ... ... ...
    ;[SIM...]do_cut_through: sending packet to outbound processing...;
    ;[SIM...]do_outbound: got packet 0x... on cpu 1 of <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6> (packet is cut-through);
    ;[SIM...]ACCT <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6>: p=1; b=48 (conn_dir=0, dir=1);
    ;[SIM...]do_outbound: forwarding packet to network (ifnum=Number of Bridge interface Br<N>)...;
    ;[SIM...]sim_filterout_do_deliver: delivered skb=0x..., on dev=Name of Bridge interface Br<N>, output_func=0x..., cut_through=1, rc=0;
    ... ... ...
    ;fwlinux_nfbrout:...:(<Name of Bridge interface port ethX>)
Cause

Connections between Bridge and non-Bridge interfaces are not accelerated correctly (the accelerated packet is cut through to the Bridge interface Br<N> instead of Bridge interface port ethX).

As a result, the accelerated packet enters the FireWall once again on outbound, which causes various inconsistencies.
In particular, when Application Control blade / URL Filtering blade is enabled, due to a required routing decision, this causes the packet to being Forwarded from SecureXL to FireWall (F2F) and being dropped.


Solution
Note: To view this solution you need to Sign In .