Support Center > Search Results > SecureKnowledge Details
TCP [FIN-ACK] packets for HTTPS traffic are dropped as out-of-state after enabling HTTPS Inspection Technical Level
Symptoms
  • TCP [FIN-ACK] packets for HTTPS traffic are dropped as out-of-state after enabling HTTPS Inspection:

    1. HTTPS connection is established as expected between a Client and a Server (through Security Gateway)
    2. Server sends a TCP [FIN-ACK] packet when the session is finished
    3. Due to CPAS, Security Gateway sends:
      1. TCP [FIN-ACK] packet to the Server
      2. TCP [FIN-ACK] packet to the Client
    4. The gateway sets the connection to "closed" state, reducing it's timeout to the "end-session timeout" (20 seconds default)
    5. After the timeout has passed, Client sends a TCP [FIN-ACK] packet to the Server
    6. Security Gateway drops this TCP [FIN-ACK] packet (from the Client) as out-of-state:
      TCP packet out of state: First package isn't SYN
      tcp_flags: FIN-ACK

      Example of a drop log:
Cause

The connection is deleted from the Security Gateway's "Connections" kernel table after receiving the TCP [FIN-ACK] packet from the Server.

As a result:

  1. The TCP [FIN-ACK] packet sent from the Client can not be found in the Security Gateway's "Connections" kernel table.
  2. This TCP packet is treated as a new TCP connection, which, by definition, can not be a non-[SYN] packet.
  3. This TCP [FIN-ACK] packet sent from the Client is dropped.

Solution
Note: To view this solution you need to Sign In .