Support Center > Search Results > SecureKnowledge Details
"First packet isn't SYN, TCP flags : FIN-ACK" drop log for RSH (remote shell) traffic sent from a Server
Symptoms
  • "First packet isn't SYN, TCP flags : FIN-ACK" drop log from Security Gateway / Cluster is seen in SmartView Tracker / SmartLog in the following scenario:

    • "rsh" (remote shell) command is used in a non-interactive way (e.g., via a shell script) to transfer a file between hosts:

      Client --- [ Security Gateway / Cluster ] --- Server
    • SecureXL is enabled on Security Gateway / Cluster

    • Version of Security Gateway / Cluster is R77.30 and above

    Example of a drop log:

  • Traffic capture on the Server during the issue shows that the Security Gateway drops the [FIN,ACK] packet from the Server when the file transfer is finished.

    Example output from tcpdump (Client is 192.168.20.222; Server is 172.16.33.55):

    #1 192.168.20.222:1023 > 172.16.33.55:514   SYN
    #2 172.16.33.55:514 > 192.168.20.222:1023   SYN/ACK
    #3 192.168.20.222:1023 > 172.16.33.55:514   ACK
    #4 192.168.20.222:1023 > 172.16.33.55:514   RSH session estab
    #5 172.16.33.55:514 > 192.168.20.222:1023   ACK
    ... ...
    #8 172.16.33.55:1023 > 192.168.20.222:1022  SYN
    #9 192.168.20.222:1022 > 172.16.33.55:1023  SYN/ACK
    #10 172.16.33.55:1023 > 192.168.20.222:1022  ACK
    ... ...
    #15570 172.16.33.55:1023 > 192.168.20.222:1022  FIN,ACK
    
Cause

The Control connection is between Client to Server.
The Data connection, however, is created from Server to Client - i.e., in the opposite direction to the Control connection.
Since this is supported, Security Gateway should handle the Data connection in the "reverse" way.

SecureXL mismatches the direction that have been reversed in the Data connection.
Therefore, the reverse Data connection can not be found in the Connections table.
As a result, this reverse Data connection is treated a new TCP connection, which by design can not contain [FIN,ACK] flags.
This connection is dropped.


Solution
Note: To view this solution you need to Sign In .