"TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" drop log when SecureXL and Application Control / URL Filtering blade are enabled on Security Gateway in Bridge mode

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk109735
Technical Level
Product	SecureXL
Version	R75 (EOL), R76 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL), R80.10 (EOL)
OS	Gaia, SecurePlatform 2.6, IPSO 6.2, Crossbeam XOS
Platform / Model	All
Date Created	20-Jan-2016
Last Modified	13-Feb-2020

Symptoms

Traffic is dropped with "TCP packet out of state: First packet isn't SYN; tcp_flags: SYN-ACK" log in SmartView Tracker in the following scenario:
- Security Gateway is configured in Bridge mode
- SecureXL is enabled
- Topology:
  Client --- (physical non-Bridge interface ethZ) [GW in Bridge mode] (Bridge interface BrN on ports ethX,ethY) --- Server
- Traffic Flow:
  Connection from Client arrives to Security Gateway at physical non-Bridge interface ethZ
  Connection to Server leaves the Security Gateway from Bridge interface port ethX
- Application Control blade / URL Filtering blade is enabled
SecureXL SIM debug shows that when SecureXL SIM devices tries to accelerate a packet that arrived at physical non-Bridge interface, the accelerated packet is cut through to the Bridge interface Br<N> instead of Bridge interface port ethX:

Debug modules and flags:

fw ctl debug -m fw + packet
sim dbg -m pkt + pkt acct
sim dbg -m drv + deliver

*Note: In R80.20 sim dbg is replaced with fwaccel dbg

Relevant lines in debug output:
;[SIM...]handle_inbound_packet: got packet on VSID=0 (ifnum=Number of Physical non-Bridge interface ethZ); ;[SIM...]do_inbound: got packet 0x... on cpu 0 of <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6>(vsid=0); ... ... ... ;[SIM...]do_cut_through: sending packet to outbound processing...; ;[SIM...]do_outbound: got packet 0x... on cpu 1 of <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6> (packet is cut-through); ;[SIM...]ACCT <Source_IP_of_Client,Source_Port_on_Client,Dest_IP_of_Server,Dest_Port_on_Server,6>: p=1; b=48 (conn_dir=0, dir=1); ;[SIM...]do_outbound: forwarding packet to network (ifnum=Number of Bridge interface Br<N>)...; ;[SIM...]sim_filterout_do_deliver: delivered skb=0x..., on dev=Name of Bridge interface Br<N>, output_func=0x..., cut_through=1, rc=0; ... ... ... ;fwlinux_nfbrout:...:(<Name of Bridge interface port ethX>)

Cause

Connections between Bridge and non-Bridge interfaces are not accelerated correctly (the accelerated packet is cut through to the Bridge interface Br<N> instead of Bridge interface port ethX).

As a result, the accelerated packet enters the FireWall once again on outbound, which causes various inconsistencies.
In particular, when Application Control blade / URL Filtering blade is enabled, due to a required routing decision, this causes the packet to being Forwarded from SecureXL to FireWall (F2F) and being dropped.

Solution

Note: To view this solution you need to Sign In .