Security Gateway drops TCP packets on 'out of state', although the setting in SmartConsole is turned off
||Security Gateway, SecureXL
|Platform / Model
Security Gateway is dropping TCP packets on 'out of state', although the setting in SmartConsole: Global Properties -> Stateful Inspection -> Drop Out of state TCP Packets is not checked.
Kernel debug (fw ctl zdebug + drop) shows the following packet drops:
[DATE TIME];[kern];[tid_0];[SIM-206609312];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x14, cdir=1) -> dropping packet, conn: [<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>][PPK0];
[DATE TIME];[kern];[tid_0];[SIM-206609312];do_inbound: Possible TCP state violation for <SrouceIP,SourcePort,DestinationIP,DestinationPort,6> -> dropping packet ;
[DATE TIME];[kern];[tid_0];[SIM-206609312];do_packet_finish: SIMPKT_IN_DROP vsid=10, conn:<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>;
Network topology was configured to run TCP traffic asymmetrically. The packets from a source to a destination in one path and takes a different path when it returns to the source.
Issue does not replicate when SecureXL is off.
Different functionality in R80.20 causes SecureXL to drop the packets as "Drop Out of State TCP Packets".
The following Kernel parameters were added to control SecureXL's behavior in this regard:
Note: In R80.20 Jumbo Hotfix Accumulator Take_48 and above, the sim_tcp_accept_out_of_state will automatically be configured according to the setting in: SmartConsole -> Global Properties -> Stateful Inspection -> Drop Out of state TCP Packets.
Every time this setting is changed, the policy needs to be installed again on the Security Gateway. Then verify the value of the parameter 'sim_tcp_accept_out_of_state' with:
# fw ctl get int sim_tcp_accept_out_of_state -a
The parameter value should be: '1'. If the output is '0':
- Configure the Policy to not drop packets on out of state in:
SmartConsole > Global Properties > Stateful Inspection > Drop Out of state TCP Packets.
- Install Policy on the security Gateway
Note: To view this solution you need to