Support Center > Search Results > SecureKnowledge Details
Security Gateway drops TCP packets on 'out of state', although the setting in SmartConsole is turned off Technical Level
Symptoms
  • Security Gateway is dropping TCP packets on 'out of state', although the setting in SmartConsole: Global Properties -> Stateful Inspection -> Drop Out of state TCP Packets is not checked.

  • Kernel debug (fw ctl zdebug + drop) shows the following packet drops:
    [DATE TIME];[kern];[tid_0];[SIM-206609312];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x14, cdir=1) -> dropping packet, conn: [<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>][PPK0];
    [DATE TIME];[kern];[tid_0];[SIM-206609312];do_inbound: Possible TCP state violation for <SrouceIP,SourcePort,DestinationIP,DestinationPort,6> -> dropping packet ;
    [DATE TIME];[kern];[tid_0];[SIM-206609312];do_packet_finish: SIMPKT_IN_DROP vsid=10, conn:<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>;

  • Network topology was configured to run TCP traffic asymmetrically. The packets from a source to a destination in one path and takes a different path when it returns to the source.

  • Issue does not replicate when SecureXL is off.

Cause

Different functionality in R80.20 causes SecureXL to drop the packets as "Drop Out of State TCP Packets".

The following Kernel parameters were added to control SecureXL's behavior in this regard:

  • sim_get_tcp_accept_out_of_state_vs

    Note: In R80.20 Jumbo Hotfix Accumulator Take_48 and above, the sim_get_tcp_accept_out_of_state_vs will automatically be configured according to the setting in: SmartConsole ->  Global Properties -> Stateful Inspection -> Drop Out of state TCP Packets.
    Every time this setting is changed, the policy needs to be installed again on the Security Gateway. Then verify the value of the parameter 'sim_get_tcp_accept_out_of_state_vs' with:

    # fw ctl set int sim_get_tcp_accept_out_of_state_vs <vsid> -a
    # fw ctl get int sim_get_tcp_accept_out_of_state_vs -a

    The parameter value should be: '1'. If the output is '0':

      • Configure the Policy to not drop packets on out of state in:
        SmartConsole > Global Properties > Stateful Inspection > Drop Out of state TCP Packets.

    • Install Policy on the security Gateway

Solution
Note: To view this solution you need to Sign In .