Support Center > Search Results > SecureKnowledge Details
Security Gateway drops TCP packets on 'out of state', although the setting in SmartConsole is turned off
Symptoms
  • Security Gateway is dropping TCP packets on 'out of state', although the setting in SmartConsole: Global Properties -> Stateful Inspection -> Drop Out of state TCP Packets is not checked.

  • Kernel debug (fw ctl zdebug + drop) shows the following packet drops:
    [DATE TIME];[kern];[tid_0];[SIM-206609312];update_tcp_state: invalid state detected (current state: 0x10000, th_flags=0x14, cdir=1) -> dropping packet, conn: [<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>][PPK0];
    [DATE TIME];[kern];[tid_0];[SIM-206609312];do_inbound: Possible TCP state violation for <SrouceIP,SourcePort,DestinationIP,DestinationPort,6> -> dropping packet ;
    [DATE TIME];[kern];[tid_0];[SIM-206609312];do_packet_finish: SIMPKT_IN_DROP vsid=10, conn:<SrouceIP,SourcePort,DestinationIP,DestinationPort,6>;

  • Network topology was configured to run TCP traffic asymmetrically. The packets from a source to a destination in one path and takes a different path when it returns to the source.

  • Issue does not replicate when SecureXL is off.

Cause

Different functionality in R80.20 causes SecureXL to drop the packets as "Drop Out of State TCP Packets".

The following Kernel parameters were added to control SecureXL's behavior in this regard:

  • sim_tcp_accept_out_of_state

    Note: In R80.20 Jumbo Hotfix Accumulator Take_48 and above, the sim_tcp_accept_out_of_state will automatically be configured according to the setting in: SmartConsole ->  Global Properties -> Stateful Inspection -> Drop Out of state TCP Packets. 

Solution
Note: To view this solution you need to Sign In .