Support Center > Search Results > SecureKnowledge Details
"First packet isn't SYN, TCP flags : FIN-ACK" drop log for NFS or RSH (remote shell) traffic sent from a Server Technical Level
  • "First packet isn't SYN, TCP flags : FIN-ACK" drop log from Security Gateway / Cluster is seen in SmartView Tracker / SmartLog in the following scenario:

    • "rsh" (remote shell) command is used in a non-interactive way (e.g., via a shell script) to transfer a file between hosts:

      Client --- [ Security Gateway / Cluster ] --- Server


      NFS traffic is intermittently dropped
    • SecureXL is enabled on Security Gateway / Cluster

    • Version of Security Gateway / Cluster is R77.30 and higher

    Example of a drop log:

  • Traffic capture on the Server during the issue shows that the Security Gateway drops the [FIN,ACK] packet from the Server when the file transfer is finished.

    Example output from tcpdump (Client is; Server is

    #1 >   SYN
    #2 >   SYN/ACK
    #3 >   ACK
    #4 >   RSH session estab
    #5 >   ACK
    ... ...
    #8 >  SYN
    #9 >  SYN/ACK
    #10 >  ACK
    ... ...
    #15570 >  FIN,ACK

The Control connection is between Client to Server.
The Data connection, however, is created from Server to Client - i.e., in the opposite direction to the Control connection.
Since this is supported, Security Gateway should handle the Data connection in the "reverse" way.

SecureXL mismatches the direction that have been reversed in the Data connection.
Therefore, the reverse Data connection can not be found in the Connections table.
As a result, this reverse Data connection is treated a new TCP connection, which by design can not contain [FIN,ACK] flags.
This connection is dropped.

Note: To view this solution you need to Sign In .