"TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" drop log when SecureXL and Application Control / URL Filtering blade are enabled on Security Gateway in Bridge mode

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk109735
Product	SecureXL
Version	R75, R76, R77, R77.10, R77.20, R77.30, R80.10, R80.20, R80.30
OS	Gaia, SecurePlatform 2.6, IPSO 6.2, Crossbeam XOS
Platform / Model	All
Date Created	20-Jan-2016
Last Modified	02-Jun-2019

Symptoms

Traffic is dropped with "TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker in the following scenario:
- Security Gateway is configured in Bridge mode
- SecureXL is enabled
- Topology:
  Client --- (physical non-Bridge interface ethZ) [GW in Bridge mode] (Bridge interface BrN on ports ethX,ethY) --- Server
- Traffic Flow:
  Connection from Client arrives to Security Gateway at physical non-Bridge interface ethZ
  Connection to Server leaves the Security Gateway from Bridge interface port ethX
- Application Control blade / URL Filtering blade is enabled
SecureXL SIM debug shows that when SecureXL SIM devices tries to accelerate a packet that arrived at physical non-Bridge interface, the accelerated packet is cut through to the Bridge interface Br<N> instead of Bridge interface port ethX:

Debug modules and flags:

fw ctl debug -m fw + packet
sim dbg -m pkt + pkt acct
sim dbg -m drv + deliver

*Note: In R80.20 sim dbg is replaced with fwaccel dbg

Relevant lines in debug output:
;[SIM...]handle_inbound_packet: got packet on VSID=0 (ifnum=Number of Physical non-Bridge interface ethZ); ;[SIM...]do_inbound: got packet 0x... on cpu 0 of <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6>(vsid=0); ... ... ... ;[SIM...]do_cut_through: sending packet to outbound processing...; ;[SIM...]do_outbound: got packet 0x... on cpu 1 of <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6> (packet is cut-through); ;[SIM...]ACCT <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6>: p=1; b=48 (conn_dir=0, dir=1); ;[SIM...]do_outbound: forwarding packet to network (ifnum=Number of Bridge interface Br<N>)...; ;[SIM...]sim_filterout_do_deliver: delivered skb=0x..., on dev=Name of Bridge interface Br<N>, output_func=0x..., cut_through=1, rc=0; ... ... ... ;fwlinux_nfbrout:...:(<Name of Bridge interface port ethX>)

Cause

Connections between Bridge and non-Bridge interfaces are not accelerated correctly (the accelerated packet is cut through to the Bridge interface Br<N> instead of Bridge interface port ethX).

As a result, the accelerated packet enters the FireWall once again on outbound, which causes various inconsistencies.
In particular, when Application Control blade / URL Filtering blade is enabled, due to a required routing decision, this causes the packet to being Forwarded from SecureXL to FireWall (F2F) and being dropped.

Solution

Note: To view this solution you need to Sign In .