"First packet isn't SYN, TCP flags : FIN-ACK" drop log for RSH (remote shell) traffic sent from a Server

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk120462
Product	SecureXL
Version	R77.30, R80.10
OS	Gaia, SecurePlatform 2.6, Crossbeam XOS, IPSO 6.2
Date Created	12-Sep-2017
Last Modified	09-Jul-2019

Symptoms

"First packet isn't SYN, TCP flags : FIN-ACK" drop log from Security Gateway / Cluster is seen in SmartView Tracker / SmartLog in the following scenario:
- "rsh" (remote shell) command is used in a non-interactive way (e.g., via a shell script) to transfer a file between hosts:
  Client --- [ Security Gateway / Cluster ] --- Server
- SecureXL is enabled on Security Gateway / Cluster
- Version of Security Gateway / Cluster is R77.30 and above
Example of a drop log:

Traffic capture on the Server during the issue shows that the Security Gateway drops the [FIN,ACK] packet from the Server when the file transfer is finished.

Example output from tcpdump (Client is 192.168.20.222; Server is 172.16.33.55):

#1 192.168.20.222:1023 > 172.16.33.55:514   SYN
#2 172.16.33.55:514 > 192.168.20.222:1023   SYN/ACK
#3 192.168.20.222:1023 > 172.16.33.55:514   ACK
#4 192.168.20.222:1023 > 172.16.33.55:514   RSH session estab
#5 172.16.33.55:514 > 192.168.20.222:1023   ACK
... ...
#8 172.16.33.55:1023 > 192.168.20.222:1022  SYN
#9 192.168.20.222:1022 > 172.16.33.55:1023  SYN/ACK
#10 172.16.33.55:1023 > 192.168.20.222:1022  ACK
... ...
#15570 172.16.33.55:1023 > 192.168.20.222:1022  FIN,ACK

Cause

The Control connection is between Client to Server.
The Data connection, however, is created from Server to Client - i.e., in the opposite direction to the Control connection.
Since this is supported, Security Gateway should handle the Data connection in the "reverse" way.

SecureXL mismatches the direction that have been reversed in the Data connection.
Therefore, the reverse Data connection can not be found in the Connections table.
As a result, this reverse Data connection is treated a new TCP connection, which by design can not contain [FIN,ACK] flags.
This connection is dropped.

Solution

Note: To view this solution you need to Sign In .